cyclonedx:makeBom

Full name:

org.cyclonedx:cyclonedx-maven-plugin:2.7.10-SNAPSHOT:makeBom

Description:

Creates a CycloneDX BOM for each Maven module with its dependencies.

Attributes:

  • Requires a Maven project to be executed.
  • The goal is thread-safe and supports parallel builds.
  • Binds by default to the lifecycle phase: package.
  • Requires that Maven runs in online mode.

Optional Parameters

Name Type Since Description
<analyzer> String 2.1.0 Specify the Maven project dependency analyzer to use (plexus component role-hint). By default, maven-dependency-analyzer's one is used. To use another implementation, you must declare a dependency for this plugin that contains the code for the analyzer and you specify its Plexus role name here.
Default value is: default.
User property is: analyzer.
<detectUnusedForOptionalScope> boolean 2.7.9 Use the original mechanism for determining whether a component has OPTIONAL or REQUIRED scope, relying on bytecode analysis of the compiled classes instead of the Maven dependency declaration of optional.
Default value is: false.
User property is: detectUnusedForOptionalScope.
<excludeTypes> String[] 2.1.0 Excluded types.
User property is: excludeTypes.
<includeBomSerialNumber> boolean 2.1.0 Should the resulting BOM contain a unique serial number?
Default value is: true.
User property is: includeBomSerialNumber.
<includeCompileScope> boolean 2.1.0 Should compile scoped Maven dependencies be included in bom?
Default value is: true.
User property is: includeCompileScope.
<includeLicenseText> boolean 2.1.0 Should license text be included in bom?
Default value is: false.
User property is: includeLicenseText.
<includeProvidedScope> boolean 2.1.0 Should provided scoped Maven dependencies be included in bom?
Default value is: true.
User property is: includeProvidedScope.
<includeRuntimeScope> boolean 2.1.0 Should runtime scoped Maven dependencies be included in bom?
Default value is: true.
User property is: includeRuntimeScope.
<includeSystemScope> boolean 2.1.0 Should system scoped Maven dependencies be included in bom?
Default value is: true.
User property is: includeSystemScope.
<includeTestScope> boolean 2.1.0 Should test scoped Maven dependencies be included in bom?
Default value is: false.
User property is: includeTestScope.
<outputDirectory> File 2.7.5 The output directory where to store generated CycloneDX output files.
Default value is: ${project.build.directory}.
User property is: outputDirectory.
<outputFormat> String 2.1.0 The CycloneDX output format that should be generated (xml, json or all).
Default value is: all.
User property is: outputFormat.
<outputName> String 2.2.0 The CycloneDX output file name (without extension) that should be generated (in outputDirectory directory).
Default value is: bom.
User property is: outputName.
<outputTimestamp> String 2.7.9 Timestamp for reproducible output archive entries, either formatted as ISO 8601 yyyy-MM-dd'T'HH:mm:ssXXX or as an int representing seconds since the epoch (like SOURCE_DATE_EPOCH).
Default value is: ${project.build.outputTimestamp}.
<projectType> String - The component type associated to the SBOM metadata. See CycloneDX reference for supported values.
Default value is: library.
User property is: projectType.
<schemaVersion> String 2.1.0 The CycloneDX schema version the BOM will comply with.
Default value is: 1.4.
User property is: schemaVersion.
<skip> boolean - Skip CycloneDX execution.
Default value is: false.
User property is: cyclonedx.skip.
<skipAttach> boolean 2.1.0 Don't attach bom.
Default value is: false.
User property is: cyclonedx.skipAttach.
<verbose> boolean 2.6.0 Verbose output.
Default value is: false.
User property is: cyclonedx.verbose.

Parameter Details

<analyzer>

Specify the Maven project dependency analyzer to use (plexus component role-hint). By default, maven-dependency-analyzer's one is used. To use another implementation, you must declare a dependency for this plugin that contains the code for the analyzer and you specify its Plexus role name here.
  • Type: java.lang.String
  • Since: 2.1.0
  • Required: No
  • User Property: analyzer
  • Default: default

<detectUnusedForOptionalScope>

Use the original mechanism for determining whether a component has OPTIONAL or REQUIRED scope, relying on bytecode analysis of the compiled classes instead of the Maven dependency declaration of optional.
  • Type: boolean
  • Since: 2.7.9
  • Required: No
  • User Property: detectUnusedForOptionalScope
  • Default: false

<excludeTypes>

Excluded types.
  • Type: java.lang.String[]
  • Since: 2.1.0
  • Required: No
  • User Property: excludeTypes

<includeBomSerialNumber>

Should the resulting BOM contain a unique serial number?
  • Type: boolean
  • Since: 2.1.0
  • Required: No
  • User Property: includeBomSerialNumber
  • Default: true

<includeCompileScope>

Should compile scoped Maven dependencies be included in bom?
  • Type: boolean
  • Since: 2.1.0
  • Required: No
  • User Property: includeCompileScope
  • Default: true

<includeLicenseText>

Should license text be included in bom?
  • Type: boolean
  • Since: 2.1.0
  • Required: No
  • User Property: includeLicenseText
  • Default: false

<includeProvidedScope>

Should provided scoped Maven dependencies be included in bom?
  • Type: boolean
  • Since: 2.1.0
  • Required: No
  • User Property: includeProvidedScope
  • Default: true

<includeRuntimeScope>

Should runtime scoped Maven dependencies be included in bom?
  • Type: boolean
  • Since: 2.1.0
  • Required: No
  • User Property: includeRuntimeScope
  • Default: true

<includeSystemScope>

Should system scoped Maven dependencies be included in bom?
  • Type: boolean
  • Since: 2.1.0
  • Required: No
  • User Property: includeSystemScope
  • Default: true

<includeTestScope>

Should test scoped Maven dependencies be included in bom?
  • Type: boolean
  • Since: 2.1.0
  • Required: No
  • User Property: includeTestScope
  • Default: false

<outputDirectory>

The output directory where to store generated CycloneDX output files.
  • Type: java.io.File
  • Since: 2.7.5
  • Required: No
  • User Property: outputDirectory
  • Default: ${project.build.directory}

<outputFormat>

The CycloneDX output format that should be generated (xml, json or all).
  • Type: java.lang.String
  • Since: 2.1.0
  • Required: No
  • User Property: outputFormat
  • Default: all

<outputName>

The CycloneDX output file name (without extension) that should be generated (in outputDirectory directory).
  • Type: java.lang.String
  • Since: 2.2.0
  • Required: No
  • User Property: outputName
  • Default: bom

<outputTimestamp>

Timestamp for reproducible output archive entries, either formatted as ISO 8601 yyyy-MM-dd'T'HH:mm:ssXXX or as an int representing seconds since the epoch (like SOURCE_DATE_EPOCH).
  • Type: java.lang.String
  • Since: 2.7.9
  • Required: No
  • Default: ${project.build.outputTimestamp}

<projectType>

The component type associated to the SBOM metadata. See CycloneDX reference for supported values.
  • Type: java.lang.String
  • Required: No
  • User Property: projectType
  • Default: library

<schemaVersion>

The CycloneDX schema version the BOM will comply with.
  • Type: java.lang.String
  • Since: 2.1.0
  • Required: No
  • User Property: schemaVersion
  • Default: 1.4

<skip>

Skip CycloneDX execution.
  • Type: boolean
  • Required: No
  • User Property: cyclonedx.skip
  • Default: false

<skipAttach>

Don't attach bom.
  • Type: boolean
  • Since: 2.1.0
  • Required: No
  • User Property: cyclonedx.skipAttach
  • Default: false

<verbose>

Verbose output.
  • Type: boolean
  • Since: 2.6.0
  • Required: No
  • User Property: cyclonedx.verbose
  • Default: false