Workaround for CycloneDX is causing POM build errors

[imply-elliott]

Description

Fixes CycloneDX POM errors like this error [ERROR] An error occurred attempting to read POM

• been self-reviewed.
• added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.

[paul-rogers]

This is a short-term fix. Perhaps we're using a botched build of CycloneDX. Perhaps the person who added CycloneDX can sort out what went wrong.

[hboutemy]

@imply-elliott I tried to build Druid but could not get this error message

can you show the plugin execution output that contains what you're getting, please?

And once reproduced with your current build that uses cyclonedx-maven-plugin 2.7.3, please also test with latest 2.7.5 and report

[imply-elliott]

@imply-elliott I tried to build Druid but could not get this error message

can you show the plugin execution output that contains what you're getting, please?

And once reproduced with your current build that uses cyclonedx-maven-plugin 2.7.3, please also test with latest 2.7.5 and report

@hboutemy These errors were showing up sporadically in the builds. It's unclear why, as a private build was experiencing the issue much more frequently. It took some digging to find one, but if you expand the Maven build job here, you'll see one: https://github.com/apache/druid/actions/runs/4292832528/jobs/7479757181

Annoyingly, they're not causing the build to end in a failure as somehow it doesn't exit non-zero.

I have now tested bumping to 2.7.5 and it does seem to resolve the issue locally as well as in the pipeline, so I have a PR waiting for tests to complete now: #13878

[hboutemy]

thanks for the pointer, I now see

[ERROR] An error occurred attempting to read POM
org.codehaus.plexus.util.xml.pull.XmlPullParserException: UTF-8 BOM plus xml decl of ISO-8859-1 is incompatible (position: START_DOCUMENT seen <?xml version="1.0" encoding="ISO-8859-1"... @1:42) 
    at org.codehaus.plexus.util.xml.pull.MXParser.parseXmlDeclWithVersion (MXParser.java:3423)
    at org.codehaus.plexus.util.xml.pull.MXParser.parseXmlDecl (MXParser.java:3345)
    at org.codehaus.plexus.util.xml.pull.MXParser.parsePI (MXParser.java:3197)
    at org.codehaus.plexus.util.xml.pull.MXParser.parseProlog (MXParser.java:1828)
    at org.codehaus.plexus.util.xml.pull.MXParser.nextImpl (MXParser.java:1757)
    at org.codehaus.plexus.util.xml.pull.MXParser.next (MXParser.java:1375)
    at org.apache.maven.model.io.xpp3.MavenXpp3Reader.read (MavenXpp3Reader.java:3940)
    at org.apache.maven.model.io.xpp3.MavenXpp3Reader.read (MavenXpp3Reader.java:612)
    at org.apache.maven.model.io.xpp3.MavenXpp3Reader.read (MavenXpp3Reader.java:627)
    at org.cyclonedx.maven.BaseCycloneDxMojo.readPom (BaseCycloneDxMojo.java:759)

I confirm this code has been fully rewritten in CycloneDX Maven Plugin 2.7.4, then it's not a surprise you don't see the issue any more when upgrading: #13878 is definitively the way to go

an additional move would also be to use makeAggregateBom instead of makeBom, to get the aggregation for the whole project at root, in addition to module-specific BOM in each module: please test and see if it works as expected for you