cyclonedx:makeAggregateBom

Full name:

org.cyclonedx:cyclonedx-maven-plugin:2.9.2-SNAPSHOT:makeAggregateBom

Description:

Creates a CycloneDX aggregate BOM at build root (with dependencies from the whole multi-modules build), and eventually a BOM for each module.

Attributes:

  • Requires a Maven project to be executed.
  • Executes as an aggregator goal.
  • The goal is thread-safe and supports parallel builds.
  • Since version: 2.1.0.
  • Binds by default to the lifecycle phase: package.
  • Requires that Maven runs in online mode.

Optional Parameters

Name Type Since Description
<analyzer> String 2.1.0 Specify the Maven project dependency analyzer to use (plexus component role-hint). By default, maven-dependency-analyzer's one is used. To use another implementation, you must declare a dependency for this plugin that contains the code for the analyzer and you specify its Plexus role name here.
Default: default
User Property: analyzer
<classifier> String 2.8.1 Classifier of the attached sbom
Default: cyclonedx
User Property: cyclonedx.classifier
<detectUnusedForOptionalScope> boolean 2.7.9 Use the original mechanism for determining whether a component has OPTIONAL or REQUIRED scope, relying on bytecode analysis of the compiled classes instead of the Maven dependency declaration of optional.
Default: false
User Property: detectUnusedForOptionalScope
<excludeArtifactId> String[] 2.4.0 Excluded reactor project (aka module) ArtifactIds from aggregate BOM.
User Property: excludeArtifactId
<excludeGroupId> String[] 2.7.3 Excluded reactor project (aka module) GroupIds from aggregate BOM.
User Property: excludeGroupId
<excludeTestProject> Boolean 2.4.0 Should reactor project (aka module) artifactId with the word "test" be excluded from aggregate BOM?
Default: false
User Property: excludeTestProject
<excludeTypes> String[] 2.1.0 Excluded types.
User Property: excludeTypes
<externalReferences> ExternalReference[] 2.7.11 External references to be added to the component the BOM describes $.metadata.component.externalReferences[]: 
<externalReferences>
  <externalReference>
    <type>EXTERNAL_REFERENCE_TYPE</type><-- constant id corresponding to "external-reference-type" SBOM type -->
    <url>https://...</url>
    <comment>(optional) comment</comment>
  </externalReference>
</externalReferences>

See also: ExternalReference.Type constants
<includeBomSerialNumber> boolean 2.1.0 Should the resulting BOM contain a unique serial number?
Default: true
User Property: includeBomSerialNumber
<includeCompileScope> boolean 2.1.0 Should compile scoped Maven dependencies be included in bom?
Default: true
User Property: includeCompileScope
<includeLicenseText> boolean 2.1.0 Should license text be included in bom?
Default: false
User Property: includeLicenseText
<includeProvidedScope> boolean 2.1.0 Should provided scoped Maven dependencies be included in bom?
Default: true
User Property: includeProvidedScope
<includeRuntimeScope> boolean 2.1.0 Should runtime scoped Maven dependencies be included in bom?
Default: true
User Property: includeRuntimeScope
<includeSystemScope> boolean 2.1.0 Should system scoped Maven dependencies be included in bom?
Default: true
User Property: includeSystemScope
<includeTestScope> boolean 2.1.0 Should test scoped Maven dependencies be included in bom?
Default: false
User Property: includeTestScope
<outputDirectory> File 2.7.5 The output directory where to store generated CycloneDX output files.
Default: ${project.build.directory}
User Property: outputDirectory
<outputFormat> String 2.1.0 The CycloneDX output format that should be generated (xml, json or all).
Default: all
User Property: outputFormat
<outputName> String 2.2.0 The CycloneDX output file name (without extension) that should be generated (in outputDirectory directory).
Default: bom
User Property: outputName
<outputReactorProjects> Boolean 2.6.2 Should non-root reactor projects create a module-only BOM?
Default: true
User Property: outputReactorProjects
<outputTimestamp> String 2.7.9 Timestamp for reproducible output archive entries, either formatted as ISO 8601 yyyy-MM-dd'T'HH:mm:ssXXX or as an int representing seconds since the epoch (like SOURCE_DATE_EPOCH).
Default: ${project.build.outputTimestamp}
<projectType> String 2.0.0 The component type associated to the SBOM metadata. See CycloneDX reference for supported values.
Default: library
User Property: projectType
<schemaVersion> String 2.1.0 The CycloneDX schema version the BOM will comply with.
Default: 1.6
User Property: schemaVersion
<skip> boolean 1.1.3 Skip CycloneDX execution.
Default: false
User Property: cyclonedx.skip
<skipAttach> boolean 2.1.0 Don't attach bom.
Default: false
User Property: cyclonedx.skipAttach
<skipNotDeployed> boolean 2.7.11 Only runs this goal or adds to aggregate SBOM if the module does not skip deploy.
Default: true
User Property: cyclonedx.skipNotDeployed
<verbose> boolean 2.6.0 Verbose output.
Default: false
User Property: cyclonedx.verbose

Parameter Details

<analyzer>

Specify the Maven project dependency analyzer to use (plexus component role-hint). By default, maven-dependency-analyzer's one is used. To use another implementation, you must declare a dependency for this plugin that contains the code for the analyzer and you specify its Plexus role name here.
  • Type: java.lang.String
  • Since: 2.1.0
  • Required: No
  • User Property: analyzer
  • Default: default

<classifier>

Classifier of the attached sbom
  • Type: java.lang.String
  • Since: 2.8.1
  • Required: No
  • User Property: cyclonedx.classifier
  • Default: cyclonedx

<detectUnusedForOptionalScope>

Use the original mechanism for determining whether a component has OPTIONAL or REQUIRED scope, relying on bytecode analysis of the compiled classes instead of the Maven dependency declaration of optional.
  • Type: boolean
  • Since: 2.7.9
  • Required: No
  • User Property: detectUnusedForOptionalScope
  • Default: false

<excludeArtifactId>

Excluded reactor project (aka module) ArtifactIds from aggregate BOM.
  • Type: java.lang.String[]
  • Since: 2.4.0
  • Required: No
  • User Property: excludeArtifactId

<excludeGroupId>

Excluded reactor project (aka module) GroupIds from aggregate BOM.
  • Type: java.lang.String[]
  • Since: 2.7.3
  • Required: No
  • User Property: excludeGroupId

<excludeTestProject>

Should reactor project (aka module) artifactId with the word "test" be excluded from aggregate BOM?
  • Type: java.lang.Boolean
  • Since: 2.4.0
  • Required: No
  • User Property: excludeTestProject
  • Default: false

<excludeTypes>

Excluded types.
  • Type: java.lang.String[]
  • Since: 2.1.0
  • Required: No
  • User Property: excludeTypes

<externalReferences>

External references to be added to the component the BOM describes $.metadata.component.externalReferences[]: 
<externalReferences>
  <externalReference>
    <type>EXTERNAL_REFERENCE_TYPE</type><-- constant id corresponding to "external-reference-type" SBOM type -->
    <url>https://...</url>
    <comment>(optional) comment</comment>
  </externalReference>
</externalReferences>

See also: ExternalReference.Type constants
  • Type: org.cyclonedx.model.ExternalReference[]
  • Since: 2.7.11
  • Required: No

<includeBomSerialNumber>

Should the resulting BOM contain a unique serial number?
  • Type: boolean
  • Since: 2.1.0
  • Required: No
  • User Property: includeBomSerialNumber
  • Default: true

<includeCompileScope>

Should compile scoped Maven dependencies be included in bom?
  • Type: boolean
  • Since: 2.1.0
  • Required: No
  • User Property: includeCompileScope
  • Default: true

<includeLicenseText>

Should license text be included in bom?
  • Type: boolean
  • Since: 2.1.0
  • Required: No
  • User Property: includeLicenseText
  • Default: false

<includeProvidedScope>

Should provided scoped Maven dependencies be included in bom?
  • Type: boolean
  • Since: 2.1.0
  • Required: No
  • User Property: includeProvidedScope
  • Default: true

<includeRuntimeScope>

Should runtime scoped Maven dependencies be included in bom?
  • Type: boolean
  • Since: 2.1.0
  • Required: No
  • User Property: includeRuntimeScope
  • Default: true

<includeSystemScope>

Should system scoped Maven dependencies be included in bom?
  • Type: boolean
  • Since: 2.1.0
  • Required: No
  • User Property: includeSystemScope
  • Default: true

<includeTestScope>

Should test scoped Maven dependencies be included in bom?
  • Type: boolean
  • Since: 2.1.0
  • Required: No
  • User Property: includeTestScope
  • Default: false

<outputDirectory>

The output directory where to store generated CycloneDX output files.
  • Type: java.io.File
  • Since: 2.7.5
  • Required: No
  • User Property: outputDirectory
  • Default: ${project.build.directory}

<outputFormat>

The CycloneDX output format that should be generated (xml, json or all).
  • Type: java.lang.String
  • Since: 2.1.0
  • Required: No
  • User Property: outputFormat
  • Default: all

<outputName>

The CycloneDX output file name (without extension) that should be generated (in outputDirectory directory).
  • Type: java.lang.String
  • Since: 2.2.0
  • Required: No
  • User Property: outputName
  • Default: bom

<outputReactorProjects>

Should non-root reactor projects create a module-only BOM?
  • Type: java.lang.Boolean
  • Since: 2.6.2
  • Required: No
  • User Property: outputReactorProjects
  • Default: true

<outputTimestamp>

Timestamp for reproducible output archive entries, either formatted as ISO 8601 yyyy-MM-dd'T'HH:mm:ssXXX or as an int representing seconds since the epoch (like SOURCE_DATE_EPOCH).
  • Type: java.lang.String
  • Since: 2.7.9
  • Required: No
  • Default: ${project.build.outputTimestamp}

<projectType>

The component type associated to the SBOM metadata. See CycloneDX reference for supported values.
  • Type: java.lang.String
  • Since: 2.0.0
  • Required: No
  • User Property: projectType
  • Default: library

<schemaVersion>

The CycloneDX schema version the BOM will comply with.
  • Type: java.lang.String
  • Since: 2.1.0
  • Required: No
  • User Property: schemaVersion
  • Default: 1.6

<skip>

Skip CycloneDX execution.
  • Type: boolean
  • Since: 1.1.3
  • Required: No
  • User Property: cyclonedx.skip
  • Default: false

<skipAttach>

Don't attach bom.
  • Type: boolean
  • Since: 2.1.0
  • Required: No
  • User Property: cyclonedx.skipAttach
  • Default: false

<skipNotDeployed>

Only runs this goal or adds to aggregate SBOM if the module does not skip deploy.
  • Type: boolean
  • Since: 2.7.11
  • Required: No
  • User Property: cyclonedx.skipNotDeployed
  • Default: true

<verbose>

Verbose output.
  • Type: boolean
  • Since: 2.6.0
  • Required: No
  • User Property: cyclonedx.verbose
  • Default: false