You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
when a dependency has some invalid transitive dependencies it can make the entire process fail
the example pom tries to download things from a defunct netbeans repo and fails generating a bom
(any good dependencies adden wont end up in the bom.json/xml)
I would expect the pluging to emit a warning in such cases, not fail entirely.
mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
[INFO] Scanning for projects...
[INFO]
[INFO] -----------------------< our.group:our-artifact >-----------------------
[INFO] Building our-artifact 1
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- cyclonedx-maven-plugin:2.7.11:makeAggregateBom (default-cli) @ our-artifact ---
[INFO] CycloneDX: Resolving Dependencies
[WARNING] The POM for org.glassfish.jaxb:jaxb-runtime:jar:2.2.10-b140310.1920 is invalid, transitive dependencies (if any) will not be available, enable debug logging for more details
[WARNING] The POM for org.glassfish.jaxb:jaxb-runtime:jar:2.2.10-b140802.1033 is invalid, transitive dependencies (if any) will not be available, enable debug logging for more details
[WARNING] The POM for org.glassfish.jaxb:jaxb-runtime:jar:2.2.10 is invalid, transitive dependencies (if any) will not be available, enable debug logging for more details
[WARNING] The POM for org.glassfish.jaxb:jaxb-runtime:jar:2.2.11 is invalid, transitive dependencies (if any) will not be available, enable debug logging for more details
Downloading from netbeans: http://bits.netbeans.org/nexus/content/groups/netbeans/javax/xml/bind/jaxb-api/2.3.0-b161121.1438/jaxb-api-2.3.0-b161121.1438.pom
Downloading from netbeans: http://bits.netbeans.org/nexus/content/groups/netbeans/com/sun/istack/istack-commons-runtime/3.0.6/istack-commons-runtime-3.0.6.pom
Downloading from netbeans: http://bits.netbeans.org/nexus/content/groups/netbeans/com/sun/xml/fastinfoset/FastInfoset/1.2.14/FastInfoset-1.2.14.pom
[WARNING] An error occurred building dependency graph: Could not collect dependencies: our.group:our-artifact:pom:1
[INFO] CycloneDX: Creating BOM version 1.4 with 0 component(s)
[INFO] CycloneDX: Writing and validating BOM (XML): /c/Users/dev/git/crm/build/deploy/target/bom.xml
[INFO] attaching as our-artifact-1-cyclonedx.xml
[INFO] CycloneDX: Writing and validating BOM (JSON): /c/Users/dev/git/crm/build/deploy/target/bom.json
[WARNING] Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword
[INFO] attaching as our-artifact-1-cyclonedx.json
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 3.379 s
[INFO] Finished at: 2024-02-19T15:44:26+01:00
[INFO] ------------------------------------------------------------------------
The text was updated successfully, but these errors were encountered:
when a dependency has some invalid transitive dependencies it can make the entire process fail
the example pom tries to download things from a defunct netbeans repo and fails generating a bom
(any good dependencies adden wont end up in the bom.json/xml)
I would expect the pluging to emit a warning in such cases, not fail entirely.
example pom:
output:
The text was updated successfully, but these errors were encountered: