Skip to content

pho3nixx/cyclonedx-maven-plugin

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

252 Commits

.github

.github

 
 

src

src

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

pom.xml

pom.xml

 
 

Repository files navigation

Build Status Maven Central License Website Slack Invite Group Discussion Twitter

CycloneDX Maven Plugin

The CycloneDX Maven plugin creates an aggregate of all direct and transitive dependencies of a project and creates a valid CycloneDX SBOM. CycloneDX is a lightweight software bill of materials (SBOM) specification designed for use in application security contexts and supply chain component analysis.

Maven Usage

<!-- uses default configuration -->
<plugins>
    <plugin>
        <groupId>org.cyclonedx</groupId>
        <artifactId>cyclonedx-maven-plugin</artifactId>
        <version>2.4.0</version>
    </plugin>
</plugins>

Default Values

<plugins>
    <plugin>
        <groupId>org.cyclonedx</groupId>
        <artifactId>cyclonedx-maven-plugin</artifactId>
        <version>2.4.0</version>
        <executions>
            <execution>
                <phase>package</phase>
                <goals>
                    <goal>makeAggregateBom</goal>
                </goals>
            </execution>
        </executions>
        <configuration>
            <projectType>library</projectType>
            <schemaVersion>1.2</schemaVersion>
            <includeBomSerialNumber>true</includeBomSerialNumber>
            <includeCompileScope>true</includeCompileScope>
            <includeProvidedScope>true</includeProvidedScope>
            <includeRuntimeScope>true</includeRuntimeScope>
            <includeSystemScope>true</includeSystemScope>
            <includeTestScope>false</includeTestScope>
            <includeLicenseText>false</includeLicenseText>
            <outputFormat>all</outputFormat>
            <outputName>bom</outputName>
        </configuration>
    </plugin>
</plugins>

Excluding Projects

With makeAggregateBom goal it is possible to exclude certain Maven Projects (artifactId) from getting included in bom.

  • Pass -DexcludeTestProject=true to skip any maven project artifactId containing the word "test"
  • Pass -DexcludeArtifactId=comma separated id to skip based on artifactId

Notes

As of v2.0.0, the default CycloneDX BOM format is v1.2 and will produce both XML and JSON.

Goals

The CycloneDX Maven plugin contains the following three goals:

  • makeBom
  • makeAggregateBom
  • makePackageBom

By default, the BOM(s) will be attached as an additional artifacts during a Maven install or deploy.

  • ${project.artifactId}-${project.version}-cyclonedx.xml
  • ${project.artifactId}-${project.version}-cyclonedx.json

This may be switched off by setting cyclonedx.skipAttach to true.

makeBom and makeAggregateBom can optionally be skipped completely by setting cyclonedx.skip to true.

CycloneDX Schema Support

The following table provides information on the version of this node module, the CycloneDX schema version supported, as well as the output format options. Use the latest possible version of this node module that is the compatible with the CycloneDX version supported by the target system.

Version Schema Version Format(s)
2.0.x CycloneDX v1.2 XML/JSON
1.4.x CycloneDX v1.1 XML
1.0x CycloneDX v1.0 XML

Copyright & License

CycloneDX Maven Plugin is Copyright (c) Steve Springett. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.

About

Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects

cyclonedx.org/

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

36 tags

Packages

No packages published

Languages

  • Java 100.0%