How can I generate SBOM in sub-module and get an aggregated SBOM? Regression with makeAggregateBom since 2.7.4 - outputReactorProjects has no effect

[oli271078]

I have a multi module maven project which I'd like to create an SBOM on each module and get an Aggregated BOM on the root-folder with cyclonedx-maven-plugin.

When I execute the following command :

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.2:makeAggregateBom -DoutputReactorProjects=true -DoutputFormat=xml -B

I have an Aggregated BOM on the root target folder and also BOM inside each module. That's the expected behavior. In some case, if it's needed, I put the property "outputReactorProjects" to false to only get the aggregated bom on the root target folder.

Since 2.7.4, the property "outputReactorProjects" has no effect and I never get the BOM inside the module if I use the "makeAggregateBom" goal. Just like if the property is set to false ( https://cyclonedx.github.io/cyclonedx-maven-plugin/makeAggregateBom-mojo.html#outputReactorProjects )

Following documenation we can still produced an Aggregated BOM and a BOM inside the sub-module : "makeAggregateBom: creates an aggregate BOM at build root (with dependencies from the whole multi-modules build), and eventually a BOM for each module"

Case reproduced with Maven 3.8.5 and Maven 3.9.0, Plugin version 2.7.4, 2.7.5 and 2.7.9.

I have tried these commands :

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.2:makeAggregateBom -DoutputReactorProjects=true -DoutputFormat=xml -B

---> Root SBOM and Sub-Modules

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.2:makeAggregateBom -DoutputReactorProjects=false -DoutputFormat=xml -B

---> Root SBOM only

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.4:makeAggregateBom -DoutputReactorProjects=true -DoutputFormat=xml -B

---> Root SBOM only

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.4:makeAggregateBom -DoutputReactorProjects=false -DoutputFormat=xml -B

---> Root SBOM only

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom -DoutputReactorProjects=true -DoutputFormat=xml -B

---> Root SBOM only

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom -DoutputReactorProjects=false -DoutputFormat=xml -B

[hboutemy]

sorry, too many commands at the end without clarity between actual vs expected result => I don't get what is working as expected and what is NOT working as expected

in a multi-module build, mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom is expected to create both aggregated in root and module only in each module

if you don't get expected result, please show what you're getting in a simple to read way (focus only on 2.7.9, eventually show some output of the mvn command that displays what it is doing at CycloneDX level)

[bed1984]

Hi @hboutemy , thx for your answer.

Here an example with the same command-line in 2.7.2 and 2.7.9.

log_cyclonedx_2.7.2.txt
log_cyclonedx_2.7.9.txt

In both cases aggregated BOM is fine but in the 2.7.9, there is no BOM inside target folder of the module "core" and "web". Just like if the " -DoutputReactorProjects " parameter is set to false. This break our process.

[hboutemy]

thank you @bed1984 for these output: now I see what was confusing me a lot = you're calling the goal from CLI, not configured in your pom.xml
FYI, my usual usage is the exact opposite, and I always forget that CLI and pom.xml usage differ at maven level when it comes to aggregator goals (yes, it's hard each time we have that use case)

now I can summarise the different behaviour:

> mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.2:makeAggregateBom
...
[INFO] --------------< be.cyclonedx.test:cyclonedx-test-master >---------------
[INFO] Building cyclonedx-test-master 0.0.1-SNAPSHOT                      [4/3]
[INFO]   from pom.xml
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- cyclonedx:2.7.2:makeAggregateBom (default-cli) @ cyclonedx-test-master ---
[INFO] CycloneDX: Parameters
[INFO] ------------------------------------------------------------------------
[INFO] schemaVersion          : 1.4
[INFO] includeBomSerialNumber : true
[INFO] includeCompileScope    : true
[INFO] includeProvidedScope   : true
[INFO] includeRuntimeScope    : true
[INFO] includeTestScope       : false
[INFO] includeSystemScope     : true
[INFO] includeLicenseText     : false
[INFO] outputReactorProjects  : true
[INFO] outputFormat           : all
[INFO] outputName             : bom
[INFO] ------------------------------------------------------------------------
[INFO] CycloneDX: Creating BOM
[INFO] CycloneDX: Writing BOM (XML): C:\dev\prj\tests\core\target\bom.xml
[INFO] CycloneDX: Validating BOM (XML): C:\dev\prj\tests\core\target\bom.xml
[INFO] CycloneDX: Writing BOM (JSON): C:\dev\prj\tests\core\target\bom.json
[INFO] CycloneDX: Validating BOM (JSON): C:\dev\prj\tests\core\target\bom.json
[WARNING] Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword
[INFO] CycloneDX: Creating BOM
[INFO] CycloneDX: Writing BOM (XML): C:\dev\prj\tests\web\target\bom.xml
[INFO] CycloneDX: Validating BOM (XML): C:\dev\prj\tests\web\target\bom.xml
[INFO] CycloneDX: Writing BOM (JSON): C:\dev\prj\tests\web\target\bom.json
[INFO] CycloneDX: Validating BOM (JSON): C:\dev\prj\tests\web\target\bom.json
[INFO] CycloneDX: Creating BOM
[INFO] CycloneDX: Writing BOM (XML): C:\dev\prj\tests\target\bom.xml
[INFO] CycloneDX: Validating BOM (XML): C:\dev\prj\tests\target\bom.xml
[INFO] CycloneDX: Writing BOM (JSON): C:\dev\prj\tests\target\bom.json
[INFO] CycloneDX: Validating BOM (JSON): C:\dev\prj\tests\target\bom.json

with 2.7.2, the aggregator goal invoked by CLI write both aggregated and every project (at the end, not during each module build)

with 2.7.9, only the aggregated generation happens:

> mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom
...
[INFO] --------------< be.cyclonedx.test:cyclonedx-test-master >---------------
[INFO] Building cyclonedx-test-master 0.0.1-SNAPSHOT                      [4/3]
[INFO]   from pom.xml
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- cyclonedx:2.7.9:makeAggregateBom (default-cli) @ cyclonedx-test-master ---
[INFO] CycloneDX: Resolving Aggregated Dependencies
[INFO] CycloneDX: Creating BOM version 1.4 with 7 component(s)
[INFO] CycloneDX: Writing and validating BOM (XML): C:\dev\prj\tests\target\bom.xml
[INFO]            attaching as cyclonedx-test-master-0.0.1-SNAPSHOT-cyclonedx.xml
[INFO] CycloneDX: Writing and validating BOM (JSON): C:\dev\prj\tests\target\bom.json
[WARNING] Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword
[INFO]            attaching as cyclonedx-test-master-0.0.1-SNAPSHOT-cyclonedx.json

it rings a bell to me: I'll dig into source updates I did: I remember having changed something (probably thinking build lifecycle bound usage, but not CLI)

further analysis coming, please wait...

[hboutemy]

I suppose this behaviour change has been introduced in cb36817

for your case, you'd have expected result with:

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeBom org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom -DoutputFormat=xml

(and of course, I'd propose even to have the plugin configured in your pom.xml)

[bed1984]

I suppose this behaviour change has been introduced in cb36817

for your case, you'd have expected result with:

mvn clean install org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeBom org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom -DoutputFormat=xml

(and of course, I'd propose even to have the plugin configured in your pom.xml)

Of course we could configured the plugin inside the pom.xml but in our case the pom.xml are not under our responsibilities and we run the command line inside our CI process to ensure that we have a bom for all released maven module.

I will try with the workaround 😉 ( calling the plugin twice )

Thx for your help. Have a nice day.