Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How can I generate SBOM in sub-module and get an aggregated SBOM? Regression with makeAggregateBom since 2.7.4 - outputReactorProjects has no effect #403

Open
oli271078 opened this issue Sep 28, 2023 · 5 comments

Comments

@oli271078
Copy link

oli271078 commented Sep 28, 2023

I have a multi module maven project which I'd like to create an SBOM on each module and get an Aggregated BOM on the root-folder with cyclonedx-maven-plugin.

When I execute the following command :

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.2:makeAggregateBom -DoutputReactorProjects=true -DoutputFormat=xml -B

I have an Aggregated BOM on the root target folder and also BOM inside each module. That's the expected behavior. In some case, if it's needed, I put the property "outputReactorProjects" to false to only get the aggregated bom on the root target folder.

Since 2.7.4, the property "outputReactorProjects" has no effect and I never get the BOM inside the module if I use the "makeAggregateBom" goal. Just like if the property is set to false ( https://cyclonedx.github.io/cyclonedx-maven-plugin/makeAggregateBom-mojo.html#outputReactorProjects )

Following documenation we can still produced an Aggregated BOM and a BOM inside the sub-module : "makeAggregateBom: creates an aggregate BOM at build root (with dependencies from the whole multi-modules build), and eventually a BOM for each module"

Case reproduced with Maven 3.8.5 and Maven 3.9.0, Plugin version 2.7.4, 2.7.5 and 2.7.9.

I have tried these commands :

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.2:makeAggregateBom -DoutputReactorProjects=true -DoutputFormat=xml -B

---> Root SBOM and Sub-Modules

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.2:makeAggregateBom -DoutputReactorProjects=false -DoutputFormat=xml -B

---> Root SBOM only

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.4:makeAggregateBom -DoutputReactorProjects=true -DoutputFormat=xml -B

---> Root SBOM only

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.4:makeAggregateBom -DoutputReactorProjects=false -DoutputFormat=xml -B

---> Root SBOM only

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom -DoutputReactorProjects=true -DoutputFormat=xml -B

---> Root SBOM only

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom -DoutputReactorProjects=false -DoutputFormat=xml -B
@hboutemy
Copy link
Contributor

hboutemy commented Sep 29, 2023

sorry, too many commands at the end without clarity between actual vs expected result => I don't get what is working as expected and what is NOT working as expected

in a multi-module build, mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom is expected to create both aggregated in root and module only in each module

if you don't get expected result, please show what you're getting in a simple to read way (focus only on 2.7.9, eventually show some output of the mvn command that displays what it is doing at CycloneDX level)

@bed1984
Copy link

bed1984 commented Sep 29, 2023

Hi @hboutemy , thx for your answer.

Here an example with the same command-line in 2.7.2 and 2.7.9.

log_cyclonedx_2.7.2.txt
log_cyclonedx_2.7.9.txt

In both cases aggregated BOM is fine but in the 2.7.9, there is no BOM inside target folder of the module "core" and "web". Just like if the " -DoutputReactorProjects " parameter is set to false. This break our process.

@hboutemy
Copy link
Contributor

hboutemy commented Oct 1, 2023

thank you @bed1984 for these output: now I see what was confusing me a lot = you're calling the goal from CLI, not configured in your pom.xml
FYI, my usual usage is the exact opposite, and I always forget that CLI and pom.xml usage differ at maven level when it comes to aggregator goals (yes, it's hard each time we have that use case)

now I can summarise the different behaviour:

> mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.2:makeAggregateBom
...
[INFO] --------------< be.cyclonedx.test:cyclonedx-test-master >---------------
[INFO] Building cyclonedx-test-master 0.0.1-SNAPSHOT                      [4/3]
[INFO]   from pom.xml
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- cyclonedx:2.7.2:makeAggregateBom (default-cli) @ cyclonedx-test-master ---
[INFO] CycloneDX: Parameters
[INFO] ------------------------------------------------------------------------
[INFO] schemaVersion          : 1.4
[INFO] includeBomSerialNumber : true
[INFO] includeCompileScope    : true
[INFO] includeProvidedScope   : true
[INFO] includeRuntimeScope    : true
[INFO] includeTestScope       : false
[INFO] includeSystemScope     : true
[INFO] includeLicenseText     : false
[INFO] outputReactorProjects  : true
[INFO] outputFormat           : all
[INFO] outputName             : bom
[INFO] ------------------------------------------------------------------------
[INFO] CycloneDX: Creating BOM
[INFO] CycloneDX: Writing BOM (XML): C:\dev\prj\tests\core\target\bom.xml
[INFO] CycloneDX: Validating BOM (XML): C:\dev\prj\tests\core\target\bom.xml
[INFO] CycloneDX: Writing BOM (JSON): C:\dev\prj\tests\core\target\bom.json
[INFO] CycloneDX: Validating BOM (JSON): C:\dev\prj\tests\core\target\bom.json
[WARNING] Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword
[INFO] CycloneDX: Creating BOM
[INFO] CycloneDX: Writing BOM (XML): C:\dev\prj\tests\web\target\bom.xml
[INFO] CycloneDX: Validating BOM (XML): C:\dev\prj\tests\web\target\bom.xml
[INFO] CycloneDX: Writing BOM (JSON): C:\dev\prj\tests\web\target\bom.json
[INFO] CycloneDX: Validating BOM (JSON): C:\dev\prj\tests\web\target\bom.json
[INFO] CycloneDX: Creating BOM
[INFO] CycloneDX: Writing BOM (XML): C:\dev\prj\tests\target\bom.xml
[INFO] CycloneDX: Validating BOM (XML): C:\dev\prj\tests\target\bom.xml
[INFO] CycloneDX: Writing BOM (JSON): C:\dev\prj\tests\target\bom.json
[INFO] CycloneDX: Validating BOM (JSON): C:\dev\prj\tests\target\bom.json

with 2.7.2, the aggregator goal invoked by CLI write both aggregated and every project (at the end, not during each module build)

with 2.7.9, only the aggregated generation happens:

> mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom
...
[INFO] --------------< be.cyclonedx.test:cyclonedx-test-master >---------------
[INFO] Building cyclonedx-test-master 0.0.1-SNAPSHOT                      [4/3]
[INFO]   from pom.xml
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- cyclonedx:2.7.9:makeAggregateBom (default-cli) @ cyclonedx-test-master ---
[INFO] CycloneDX: Resolving Aggregated Dependencies
[INFO] CycloneDX: Creating BOM version 1.4 with 7 component(s)
[INFO] CycloneDX: Writing and validating BOM (XML): C:\dev\prj\tests\target\bom.xml
[INFO]            attaching as cyclonedx-test-master-0.0.1-SNAPSHOT-cyclonedx.xml
[INFO] CycloneDX: Writing and validating BOM (JSON): C:\dev\prj\tests\target\bom.json
[WARNING] Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword
[INFO]            attaching as cyclonedx-test-master-0.0.1-SNAPSHOT-cyclonedx.json

it rings a bell to me: I'll dig into source updates I did: I remember having changed something (probably thinking build lifecycle bound usage, but not CLI)

further analysis coming, please wait...

@hboutemy
Copy link
Contributor

hboutemy commented Oct 1, 2023

I suppose this behaviour change has been introduced in cb36817

for your case, you'd have expected result with:

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeBom org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom -DoutputFormat=xml

(and of course, I'd propose even to have the plugin configured in your pom.xml)

@bed1984
Copy link

bed1984 commented Oct 1, 2023

I suppose this behaviour change has been introduced in cb36817

for your case, you'd have expected result with:

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeBom org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom -DoutputFormat=xml

(and of course, I'd propose even to have the plugin configured in your pom.xml)

Of course we could configured the plugin inside the pom.xml but in our case the pom.xml are not under our responsibilities and we run the command line inside our CI process to ensure that we have a bom for all released maven module.

I will try with the workaround 😉 ( calling the plugin twice )

Thx for your help. Have a nice day.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants