Skip to content
Creates CycloneDX Software Bill-of-Materials (SBoM) from Maven projects
Java
Branch: master
Clone or download
Pull request Compare This branch is 16 commits behind CycloneDX:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github
src/main/java/org/cyclonedx/maven
.travis.yml
LICENSE
README.md
pom.xml

README.md

Build Status Maven Central License Website Group Discussion Twitter

CycloneDX Maven Plugin

The CycloneDX Maven plugin creates an aggregate of all dependencies and transitive dependencies of a project and creates a valid CycloneDX bill-of-material document from the results. CycloneDX is a lightweight BOM specification that is easily created, human readable, and simple to parse. The resulting bom.xml can be used with tools such as OWASP Dependency-Track for the continuous analysis of components.

Maven Usage

<!-- uses default configuration -->
<plugins>
    <plugin>
        <groupId>org.cyclonedx</groupId>
        <artifactId>cyclonedx-maven-plugin</artifactId>
        <version>1.4.1</version>
    </plugin>
</plugins>

Default Values

<plugins>
    <plugin>
        <groupId>org.cyclonedx</groupId>
        <artifactId>cyclonedx-maven-plugin</artifactId>
        <version>1.4.1</version>
        <executions>
            <execution>
                <phase>verify</phase>
                <goals>
                    <goal>makeAggregateBom</goal>
                </goals>
            </execution>
        </executions>
        <configuration>
            <schemaVersion>1.1</schemaVersion>
            <includeBomSerialNumber>true</includeBomSerialNumber>
            <includeCompileScope>true</includeCompileScope>
            <includeProvidedScope>true</includeProvidedScope>
            <includeRuntimeScope>true</includeRuntimeScope>
            <includeSystemScope>true</includeSystemScope>
            <includeTestScope>false</includeTestScope>
        </configuration>
    </plugin>
</plugins>

Notes

As of v1.4.0, the default CycloneDX BOM format is v1.1 with included serial number.

Goals

The CycloneDX Maven plugin contains the following two goals:

  • makeBom
  • makeAggregateBom

makeBom and makeAggregateBom can optionally be skipped by setting cyclonedx.skip to true.

Copyright & License

CycloneDX Maven Plugin is Copyright (c) Steve Springett. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.

You can’t perform that action at this time.