External References

Components described in SBOMs generated by the CycloneDX Maven Plugin contain a few fields and external references that are extracted from Maven effective POMs:

of the current built pom.xml (with inheritance) for SBOM metadata.component = the component that the BOM describes,
of the Maven dependencies for SBOM components.

SBOM Fields extracted from POM

3 SBOM fields are deducted from effective POM (= after POM inheritance from parents):

component.publisher is filled with POM's project.organisation.name,
component.description is filled with POM's project.description,
component.licenses[] is filled with POM's project.licenses[].

External References extracted from POM

POM field	External Reference type
`project.url`	`website`
`project.scm.url`	`vcs`
`project.ciManagement.url`	`build-system`
`project.issueManagement.url`	`issue-tracker`
`project.mailingLists[].archive` or `subscribe`	`mailing-list`
`project.distributionManagement.repository.url`	`distribution`

Additional External References for `metadata.component`

You can add more external references the component that the BOM describes by plugin configuration:

<plugin>
  <groupId>org.cyclonedx</groupId>
  <artifactId>cyclonedx-maven-plugin</artifactId>
  <configuration>
    <externalReferences>
      <externalReference>
        <type>... external-reference-type ...</type>
        <url>... value ...</url>
        <comment>(optional) comment</comment>
      </externalReference>
    </externalReferences>
  </configuration>
</plugin>

See valid CycloneDX external reference types.

External References

SBOM Fields extracted from POM

External References extracted from POM

Additional External References for metadata.component

Additional External References for `metadata.component`