Fix dependencies concealed during BOM creation, aligning more closely with the dependency graph

src/main/java/org/cyclonedx/maven/CycloneDxAggregateMojo.java

@@ -163,34 +163,31 @@ protected boolean analyze(final Set<Component> components, final Set<Dependency>
             componentRefs.add(projectBomComponent.getBomRef());
 
             for (final Artifact artifact : mavenProject.getArtifacts()) {
-                if (shouldInclude(artifact)) {
-                    final Component component = convert(artifact);
-
-                    // ensure that only one component with the same bom-ref exists in the BOM
-                    if (!componentRefs.contains(component.getBomRef())) {
-                        Component.Scope componentScope = null;
-                        for (String projectId : dependencyAnalysisMap.keySet()) {
-                            ProjectDependencyAnalysis dependencyAnalysis = dependencyAnalysisMap.get(projectId);
-                            Component.Scope currentProjectScope = getComponentScope(component, artifact, dependencyAnalysis);
-                            // Set scope to required if the component is used in any project
-                            if (Component.Scope.REQUIRED.equals(currentProjectScope)) {
-                                componentScope = currentProjectScope;
-                                break;
-                            } else if (componentScope == null && currentProjectScope != null) {
-                                // Set optional or excluded scope
-                                componentScope = currentProjectScope;
-                            }
+                final Component component = convert(artifact);
+
+                // ensure that only one component with the same bom-ref exists in the BOM
+                if (!componentRefs.contains(component.getBomRef())) {
+                    Component.Scope componentScope = null;
+                    for (ProjectDependencyAnalysis dependencyAnalysis : dependencyAnalysisMap.values()) {
+                        Component.Scope currentProjectScope = getComponentScope(component, artifact, dependencyAnalysis);
+                        // Set scope to required if the component is used in any project
+                        if (Component.Scope.REQUIRED.equals(currentProjectScope)) {
+                            componentScope = currentProjectScope;
+                            break;
+                        } else if (componentScope == null && currentProjectScope != null) {
+                            // Set optional or excluded scope
+                            componentScope = currentProjectScope;
                         }
-                        component.setScope(componentScope);
-                        componentRefs.add(component.getBomRef());
-                        components.add(component);
-
-                        projectComponentRefs.add(component.getBomRef());
                     }
+                    component.setScope(componentScope);
+                    componentRefs.add(component.getBomRef());
+                    components.add(component);
+
+                    projectComponentRefs.add(component.getBomRef());
                 }
             }
             if (schemaVersion().getVersion() >= 1.2) {
-                projectDependencies.addAll(buildDependencyGraph(componentRefs, mavenProject));
+                projectDependencies.addAll(buildDependencyGraph(mavenProject));
                 dependencies.addAll(projectDependencies);
             }
         }

src/main/java/org/cyclonedx/maven/CycloneDxMojo.java

@@ -99,19 +99,17 @@ protected boolean analyze(final Set<Component> components, final Set<Dependency>
             componentRefs.add(bomComponent.getBomRef());
 
             for (final Artifact artifact : getProject().getArtifacts()) {
-                if (shouldInclude(artifact)) {
-                    final Component component = convert(artifact);
-                    // ensure that only one component with the same bom-ref exists in the BOM
-                    if (!componentRefs.contains(component.getBomRef())) {
-                        component.setScope(getComponentScope(component, artifact, dependencyAnalysis));
-                        componentRefs.add(component.getBomRef());
-                        components.add(component);
-                    }
+                final Component component = convert(artifact);
+                // ensure that only one component with the same bom-ref exists in the BOM
+                if (!componentRefs.contains(component.getBomRef())) {
+                    component.setScope(getComponentScope(component, artifact, dependencyAnalysis));
+                    componentRefs.add(component.getBomRef());
+                    components.add(component);
                 }
             }
         }
         if (schemaVersion().getVersion() >= 1.2) {
-            dependencies.addAll(buildDependencyGraph(componentRefs, null));
+            dependencies.addAll(buildDependencyGraph(null));
         }
         return true;
     }

src/main/java/org/cyclonedx/maven/CycloneDxPackageMojo.java

@@ -66,17 +66,15 @@ protected boolean analyze(Set<Component> components, Set<Dependency> dependencie
             }
             getLog().info("Analyzing " + mavenProject.getArtifactId());
             for (final Artifact artifact : mavenProject.getArtifacts()) {
-                if (shouldInclude(artifact)) {
-                    final Component component = convert(artifact);
-                    // ensure that only one component with the same bom-ref exists in the BOM
-                    if (!componentRefs.contains(component.getBomRef())) {
-                        componentRefs.add(component.getBomRef());
-                        components.add(component);
-                    }
+                final Component component = convert(artifact);
+                // ensure that only one component with the same bom-ref exists in the BOM
+                if (!componentRefs.contains(component.getBomRef())) {
+                    componentRefs.add(component.getBomRef());
+                    components.add(component);
                 }
             }
             if (schemaVersion().getVersion() >= 1.2) {
-                dependencies.addAll(buildDependencyGraph(componentRefs, mavenProject));
+                dependencies.addAll(buildDependencyGraph(mavenProject));
             }
         }
         return true;

src/main/java/org/cyclonedx/maven/DefaultModelConverter.java

@@ -80,7 +80,15 @@ public class DefaultModelConverter implements ModelConverter {
     public DefaultModelConverter() {
     }
 
-    public String generatePackageUrl(Artifact artifact) {
+    public String generatePackageUrl(final Artifact artifact) {
+        return generatePackageUrl(artifact, true);
+    }
+
+    public String generateVersionlessPackageUrl(final Artifact artifact) {
+        return generatePackageUrl(artifact, false);
+    }
+
+    private String generatePackageUrl(final Artifact artifact, final boolean includeVersion) {
         TreeMap<String, String> qualifiers = null;
         if (artifact.getType() != null || artifact.getClassifier() != null) {
             qualifiers = new TreeMap<>();
@@ -91,7 +99,8 @@ public String generatePackageUrl(Artifact artifact) {
                 qualifiers.put("classifier", artifact.getClassifier());
             }
         }
-        return generatePackageUrl(artifact.getGroupId(), artifact.getArtifactId(), artifact.getBaseVersion(), qualifiers, null);
+        final String version = includeVersion ? artifact.getBaseVersion() : null;
+        return generatePackageUrl(artifact.getGroupId(), artifact.getArtifactId(), version, qualifiers, null);
     }
 
     private String generatePackageUrl(String groupId, String artifactId, String version, TreeMap<String, String> qualifiers, String subpath) {

src/main/java/org/cyclonedx/maven/ModelConverter.java

@@ -31,6 +31,8 @@
 public interface ModelConverter {
     String generatePackageUrl(Artifact artifact);
 
+    String generateVersionlessPackageUrl(final Artifact artifact);
+
     /**
      * Converts a Maven artifact (dependency or transitive dependency) into a
      * CycloneDX component.