/cyclonedx-maven-plugin

Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects

Primary LanguageJavaApache License 2.0Apache-2.0

Build Status Maven Central License Website Slack Invite Group Discussion Twitter

CycloneDX Maven Plugin

The CycloneDX Maven plugin generates CycloneDX Software Bill of Materials (SBOM) containing the aggregate of all direct and transitive dependencies of a project. CycloneDX is a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.

Maven Usage

<!-- uses default configuration -->
<plugins>
    <plugin>
        <groupId>org.cyclonedx</groupId>
        <artifactId>cyclonedx-maven-plugin</artifactId>
        <version>2.7.4</version>
        <executions>
            <execution>
                <phase>package</phase>
                <goals>
                    <goal>makeAggregateBom</goal>
                </goals>
            </execution>
        </executions>
    </plugin>
</plugins>

Default Values

<plugins>
    <plugin>
        <groupId>org.cyclonedx</groupId>
        <artifactId>cyclonedx-maven-plugin</artifactId>
        <configuration>
            <projectType>library</projectType>
            <schemaVersion>1.4</schemaVersion>
            <includeBomSerialNumber>true</includeBomSerialNumber>
            <includeCompileScope>true</includeCompileScope>
            <includeProvidedScope>true</includeProvidedScope>
            <includeRuntimeScope>true</includeRuntimeScope>
            <includeSystemScope>true</includeSystemScope>
            <includeTestScope>false</includeTestScope>
            <includeLicenseText>false</includeLicenseText>
            <outputReactorProjects>true</outputReactorProjects>
            <outputFormat>all</outputFormat>
            <outputName>bom</outputName>
        </configuration>
    </plugin>
</plugins>

Excluding Projects

With makeAggregateBom goal it is possible to exclude certain Maven Projects (artifactId) from getting included in bom.

  • Pass -DexcludeTestProject to skip any Maven project artifactId containing the word "test"
  • Pass -DexcludeArtifactId=comma separated id to skip based on artifactId
  • Pass -DexcludeGroupId=comma separated id to skip based on groupId

Goals

The CycloneDX Maven plugin contains the following three goals:

  • makeBom: creates a BOM for each Maven module with its dependencies,
  • makeAggregateBom: creates an aggregate BOM at build root (with dependencies from the whole build), and eventually a BOM for each module,
  • makePackageBom: creates a BOM for each Maven module with war or `ear packaging.

By default, the BOM(s) will be attached as an additional artifacts with cyclonedx classifier and xml or json extension during a Maven install or deploy:

  • ${project.artifactId}-${project.version}-cyclonedx.xml
  • ${project.artifactId}-${project.version}-cyclonedx.json

This may be switched off by setting cyclonedx.skipAttach to true.

makeBom and makeAggregateBom can optionally be skipped completely by setting cyclonedx.skip to true.

CycloneDX Schema Support

The following table provides information on the version of this node module, the CycloneDX schema version supported, as well as the output format options. Use the latest possible version of this node module that is the compatible with the CycloneDX version supported by the target system.

Version Schema Version Format(s)
2.6.x CycloneDX v1.4 XML/JSON
2.5.x CycloneDX v1.3 XML/JSON
2.0.x CycloneDX v1.2 XML/JSON
1.4.x CycloneDX v1.1 XML
1.0x CycloneDX v1.0 XML

Maven Plugin Documentation

The Maven plugin documentation can be viewed online at https://cyclonedx.github.io/cyclonedx-maven-plugin/.

Copyright & License

CycloneDX Maven Plugin is Copyright (c) OWASP Foundation. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.