Bad dependency can break BOM generation

[pvgoddijn]

when a dependency has some invalid transitive dependencies it can make the entire process fail

the example pom tries to download things from a defunct netbeans repo and fails generating a bom
(any good dependencies adden wont end up in the bom.json/xml)

I would expect the pluging to emit a warning in such cases, not fail entirely.

example pom:

<?xml version="1.0" encoding="UTF-8"?>
<!--
   Apache Maven 2 POM generated by Apache Ivy
   https://ant.apache.org/ivy/
   Apache Ivy version: 2.5.0 20191020104435
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

  <modelVersion>4.0.0</modelVersion>
  <groupId>our.group</groupId>
  <artifactId>our-artifact</artifactId>
  <packaging>pom</packaging>
  <version>1</version>
  <dependencies>
    <dependency>
      <groupId>org.apache.cxf</groupId>
      <artifactId>cxf-rt-ws-security</artifactId>
      <version>3.6.2</version>
      <scope>compile</scope>
    </dependency>
  </dependencies>
</project>

output:

mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
[INFO] Scanning for projects...
[INFO] 
[INFO] -----------------------< our.group:our-artifact >-----------------------
[INFO] Building our-artifact 1
[INFO] --------------------------------[ pom ]---------------------------------
[INFO] 
[INFO] --- cyclonedx-maven-plugin:2.7.11:makeAggregateBom (default-cli) @ our-artifact ---
[INFO] CycloneDX: Resolving Dependencies
[WARNING] The POM for org.glassfish.jaxb:jaxb-runtime:jar:2.2.10-b140310.1920 is invalid, transitive dependencies (if any) will not be available, enable debug logging for more details
[WARNING] The POM for org.glassfish.jaxb:jaxb-runtime:jar:2.2.10-b140802.1033 is invalid, transitive dependencies (if any) will not be available, enable debug logging for more details
[WARNING] The POM for org.glassfish.jaxb:jaxb-runtime:jar:2.2.10 is invalid, transitive dependencies (if any) will not be available, enable debug logging for more details
[WARNING] The POM for org.glassfish.jaxb:jaxb-runtime:jar:2.2.11 is invalid, transitive dependencies (if any) will not be available, enable debug logging for more details
Downloading from netbeans: http://bits.netbeans.org/nexus/content/groups/netbeans/javax/xml/bind/jaxb-api/2.3.0-b161121.1438/jaxb-api-2.3.0-b161121.1438.pom
Downloading from netbeans: http://bits.netbeans.org/nexus/content/groups/netbeans/com/sun/istack/istack-commons-runtime/3.0.6/istack-commons-runtime-3.0.6.pom
Downloading from netbeans: http://bits.netbeans.org/nexus/content/groups/netbeans/com/sun/xml/fastinfoset/FastInfoset/1.2.14/FastInfoset-1.2.14.pom
[WARNING] An error occurred building dependency graph: Could not collect dependencies: our.group:our-artifact:pom:1
[INFO] CycloneDX: Creating BOM version 1.4 with 0 component(s)
[INFO] CycloneDX: Writing and validating BOM (XML): /c/Users/dev/git/crm/build/deploy/target/bom.xml
[INFO]            attaching as our-artifact-1-cyclonedx.xml
[INFO] CycloneDX: Writing and validating BOM (JSON): /c/Users/dev/git/crm/build/deploy/target/bom.json
[WARNING] Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword
[INFO]            attaching as our-artifact-1-cyclonedx.json
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  3.379 s
[INFO] Finished at: 2024-02-19T15:44:26+01:00
[INFO] ------------------------------------------------------------------------

[prabhu]

Even mvn dependency:tree command is failing for this example. Don't know what magic this plugin could do to get some partial results.