Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make name of attached artifact configurable (and hence support multi-bom projects) #483

Closed
lfvjimisola opened this issue Apr 3, 2024 · 4 comments · Fixed by #506
Closed

Make name of attached artifact configurable (and hence support multi-bom projects) #483

lfvjimisola opened this issue Apr 3, 2024 · 4 comments · Fixed by #506
Labels
enhancement

Comments

@lfvjimisola
Copy link

Due compliance we need to provide a runtime SBOM and a test SBOM and have them attached during install/deploy.

However,

By default, the BOM(s) will be attached as an additional artifacts with cyclonedx classifier and xml or json extension during a Maven install or deploy:

${project.artifactId}-${project.version}-cyclonedx.xml
${project.artifactId}-${project.version}-cyclonedx.json

which results in

[WARNING] artifact x:y:json:cyclonedx:0.8.15-SNAPSHOT already attached, replace previous instance

The name of the artifact for the SBOM artifact needs to be configurable on per-SBOM basis (it's currently hard-coded) within the <configuration> section in addition to <outputName>.
@mjaix
Copy link

mjaix commented May 8, 2024

For this and other use cases - would it be possible to support the configuration settings also as command line options?

@hboutemy
Copy link
Contributor

oh, both separate test and runtime SBOMs requirements: it seems we now have a use case for #433

@lfvjimisola in that case, what would you configure for the 2 runs, so we share complete example?

@lfvjimisola
Copy link
Author

oh, both separate test and runtime SBOMs requirements: it seems we now have a use case for #433

@lfvjimisola in that case, what would you configure for the 2 runs, so we share complete example?

That's great news. Of course, my team member @lfvJonas will provide one here today.

@lfvJonas
Copy link

This is the configuration we have.

 <plugin>
  <groupId>org.cyclonedx</groupId>
  <artifactId>cyclonedx-maven-plugin</artifactId>
  <version>2.7.10</version>
  <executions>
      <execution>
          <id>runtime-sbom</id>
          <phase>generate-resources</phase>
          <goals>
              <goal>makeAggregateBom</goal>
          </goals>
          <configuration>
              <outputFormat>json</outputFormat>
              <outputName>classes/bom</outputName>
          </configuration>
      </execution>
      <execution>
          <id>test-sbom</id>
          <phase>package</phase>
          <goals>
              <goal>makeAggregateBom</goal>
          </goals>
          <configuration>
              <includeCompileScope>false</includeCompileScope>
              <includeProvidedScope>false</includeProvidedScope>
              <includeRuntimeScope>false</includeRuntimeScope>
              <includeSystemScope>false</includeSystemScope>
              <includeTestScope>true</includeTestScope>
              <outputName>cyclonedx/test-bom</outputName>
              <outputFormat>json</outputFormat>
          </configuration>
      </execution>
  </executions>
</plugin>

@hboutemy hboutemy linked a pull request May 30, 2024 that will close this issue
make classifier used to attach the sbom configurable #506
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

make classifier used to attach the sbom configurable CycloneDX/cyclonedx-maven-plugin
4 participants
@hboutemy @mjaix @lfvjimisola @lfvJonas