cyclonedx:makePackageBom

Full name:

org.cyclonedx:cyclonedx-maven-plugin:2.9.2-SNAPSHOT:makePackageBom

Description:

Creates a CycloneDX BOM for each Maven module with war or ear packaging.

Attributes:

Requires a Maven project to be executed.
Executes as an aggregator goal.
The goal is thread-safe and supports parallel builds.
Since version: 2.4.0.
Binds by default to the lifecycle phase: package.
Requires that Maven runs in online mode.

Optional Parameters

Name	Type	Since	Description
`<classifier>`	`String`	`2.8.1`	Classifier of the attached sbom Default: `cyclonedx` User Property: `cyclonedx.classifier`
`<detectUnusedForOptionalScope>`	`boolean`	`2.7.9`	Use the original mechanism for determining whether a component has OPTIONAL or REQUIRED scope, relying on bytecode analysis of the compiled classes instead of the Maven dependency declaration of optional. Default: `false` User Property: `detectUnusedForOptionalScope`
`<excludeTypes>`	`String[]`	`2.1.0`	Excluded types. User Property: `excludeTypes`
`<externalReferences>`	`ExternalReference[]`	`2.7.11`	External references to be added to the component the BOM describes `$.metadata.component.externalReferences[]`: <externalReferences> <externalReference> <type>EXTERNAL_REFERENCE_TYPE</type><-- constant id corresponding to "external-reference-type" SBOM type --> <url>https://...</url> <comment>(optional) comment</comment> </externalReference> </externalReferences> See also: ExternalReference.Type constants
`<includeBomSerialNumber>`	`boolean`	`2.1.0`	Should the resulting BOM contain a unique serial number? Default: `true` User Property: `includeBomSerialNumber`
`<includeCompileScope>`	`boolean`	`2.1.0`	Should compile scoped Maven dependencies be included in bom? Default: `true` User Property: `includeCompileScope`
`<includeLicenseText>`	`boolean`	`2.1.0`	Should license text be included in bom? Default: `false` User Property: `includeLicenseText`
`<includeProvidedScope>`	`boolean`	`2.1.0`	Should provided scoped Maven dependencies be included in bom? Default: `true` User Property: `includeProvidedScope`
`<includeRuntimeScope>`	`boolean`	`2.1.0`	Should runtime scoped Maven dependencies be included in bom? Default: `true` User Property: `includeRuntimeScope`
`<includeSystemScope>`	`boolean`	`2.1.0`	Should system scoped Maven dependencies be included in bom? Default: `true` User Property: `includeSystemScope`
`<includeTestScope>`	`boolean`	`2.1.0`	Should test scoped Maven dependencies be included in bom? Default: `false` User Property: `includeTestScope`
`<outputDirectory>`	`File`	`2.7.5`	The output directory where to store generated CycloneDX output files. Default: `${project.build.directory}` User Property: `outputDirectory`
`<outputFormat>`	`String`	`2.1.0`	The CycloneDX output format that should be generated (`xml`, `json` or `all`). Default: `all` User Property: `outputFormat`
`<outputName>`	`String`	`2.2.0`	The CycloneDX output file name (without extension) that should be generated (in `outputDirectory` directory). Default: `bom` User Property: `outputName`
`<outputTimestamp>`	`String`	`2.7.9`	Timestamp for reproducible output archive entries, either formatted as ISO 8601 `yyyy-MM-dd'T'HH:mm:ssXXX` or as an int representing seconds since the epoch (like SOURCE_DATE_EPOCH). Default: `${project.build.outputTimestamp}`
`<projectType>`	`String`	`2.0.0`	The component type associated to the SBOM metadata. See CycloneDX reference for supported values. Default: `library` User Property: `projectType`
`<schemaVersion>`	`String`	`2.1.0`	The CycloneDX schema version the BOM will comply with. Default: `1.6` User Property: `schemaVersion`
`<skip>`	`boolean`	`1.1.3`	Skip CycloneDX execution. Default: `false` User Property: `cyclonedx.skip`
`<skipAttach>`	`boolean`	`2.1.0`	Don't attach bom. Default: `false` User Property: `cyclonedx.skipAttach`
`<verbose>`	`boolean`	`2.6.0`	Verbose output. Default: `false` User Property: `cyclonedx.verbose`

Parameter Details

<classifier>

Classifier of the attached sbom

Type: java.lang.String
Since: 2.8.1
Required: No
User Property: cyclonedx.classifier
Default: cyclonedx

<detectUnusedForOptionalScope>

Use the original mechanism for determining whether a component has OPTIONAL or REQUIRED scope, relying on bytecode analysis of the compiled classes instead of the Maven dependency declaration of optional.

Type: boolean
Since: 2.7.9
Required: No
User Property: detectUnusedForOptionalScope
Default: false

<excludeTypes>

Excluded types.

Type: java.lang.String[]
Since: 2.1.0
Required: No
User Property: excludeTypes

<externalReferences>

External references to be added to the component the BOM describes $.metadata.component.externalReferences[]:

<externalReferences>
  <externalReference>
    <type>EXTERNAL_REFERENCE_TYPE</type><-- constant id corresponding to "external-reference-type" SBOM type -->
    <url>https://...</url>
    <comment>(optional) comment</comment>
  </externalReference>
</externalReferences>

See also: ExternalReference.Type constants

Type: org.cyclonedx.model.ExternalReference[]
Since: 2.7.11
Required: No

<includeBomSerialNumber>

Should the resulting BOM contain a unique serial number?

Type: boolean
Since: 2.1.0
Required: No
User Property: includeBomSerialNumber
Default: true

<includeCompileScope>

Should compile scoped Maven dependencies be included in bom?

Type: boolean
Since: 2.1.0
Required: No
User Property: includeCompileScope
Default: true

<includeLicenseText>

Should license text be included in bom?

Type: boolean
Since: 2.1.0
Required: No
User Property: includeLicenseText
Default: false

<includeProvidedScope>

Should provided scoped Maven dependencies be included in bom?

Type: boolean
Since: 2.1.0
Required: No
User Property: includeProvidedScope
Default: true

<includeRuntimeScope>

Should runtime scoped Maven dependencies be included in bom?

Type: boolean
Since: 2.1.0
Required: No
User Property: includeRuntimeScope
Default: true

<includeSystemScope>

Should system scoped Maven dependencies be included in bom?

Type: boolean
Since: 2.1.0
Required: No
User Property: includeSystemScope
Default: true

<includeTestScope>

Should test scoped Maven dependencies be included in bom?

Type: boolean
Since: 2.1.0
Required: No
User Property: includeTestScope
Default: false

<outputDirectory>

The output directory where to store generated CycloneDX output files.

Type: java.io.File
Since: 2.7.5
Required: No
User Property: outputDirectory
Default: ${project.build.directory}

<outputFormat>

The CycloneDX output format that should be generated (xml, json or all).

Type: java.lang.String
Since: 2.1.0
Required: No
User Property: outputFormat
Default: all

<outputName>

The CycloneDX output file name (without extension) that should be generated (in outputDirectory directory).

Type: java.lang.String
Since: 2.2.0
Required: No
User Property: outputName
Default: bom

<outputTimestamp>

Timestamp for reproducible output archive entries, either formatted as ISO 8601 yyyy-MM-dd'T'HH:mm:ssXXX or as an int representing seconds since the epoch (like SOURCE_DATE_EPOCH).

Type: java.lang.String
Since: 2.7.9
Required: No
Default: ${project.build.outputTimestamp}

<projectType>

The component type associated to the SBOM metadata. See CycloneDX reference for supported values.

Type: java.lang.String
Since: 2.0.0
Required: No
User Property: projectType
Default: library

<schemaVersion>

The CycloneDX schema version the BOM will comply with.

Type: java.lang.String
Since: 2.1.0
Required: No
User Property: schemaVersion
Default: 1.6

<skip>

Skip CycloneDX execution.

Type: boolean
Since: 1.1.3
Required: No
User Property: cyclonedx.skip
Default: false

<skipAttach>

Don't attach bom.

Type: boolean
Since: 2.1.0
Required: No
User Property: cyclonedx.skipAttach
Default: false

<verbose>

Verbose output.

Type: boolean
Since: 2.6.0
Required: No
User Property: cyclonedx.verbose
Default: false