Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/CycloneDX/cyclonedx-maven-plugin

Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects
https://github.com/CycloneDX/cyclonedx-maven-plugin

bill-of-materials bom cyclonedx maven maven-plugin mbom obom owasp package-url purl saasbom sbom sbom-generator software-bill-of-materials spdx vex

Last synced: 29 days ago
JSON representation

Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects

Awesome Lists containing this project

README 

        
[![Build Status](https://github.com/CycloneDX/cyclonedx-maven-plugin/workflows/Maven%20CI/badge.svg)](https://github.com/CycloneDX/cyclonedx-maven-plugin/actions?workflow=Maven+CI)

[![Maven Central](https://maven-badges.herokuapp.com/maven-central/org.cyclonedx/cyclonedx-maven-plugin/badge.svg)](https://maven-badges.herokuapp.com/maven-central/org.cyclonedx/cyclonedx-maven-plugin)

[![License](https://img.shields.io/badge/license-Apache%202.0-brightgreen.svg)][License]

[![Website](https://img.shields.io/badge/https://-cyclonedx.org-blue.svg)](https://cyclonedx.org/)

[![Slack Invite](https://img.shields.io/badge/Slack-Join-blue?logo=slack&labelColor=393939)](https://cyclonedx.org/slack/invite)

[![Group Discussion](https://img.shields.io/badge/discussion-groups.io-blue.svg)](https://groups.io/g/CycloneDX)

[![Twitter](https://img.shields.io/twitter/url/http/shields.io.svg?style=social&label=Follow)](https://twitter.com/CycloneDX_Spec)



CycloneDX Maven Plugin

=========



The CycloneDX Maven plugin generates CycloneDX Software Bill of Materials (SBOM) containing the aggregate of all direct 

and transitive dependencies of a project. CycloneDX is a full-stack SBOM standard designed for use in application security

contexts and supply chain component analysis.



Maven Usage

-------------------



```xml



    

        org.cyclonedx

        cyclonedx-maven-plugin

        

            

                package

                

                    makeAggregateBom

                

            

        

    



```



Default Values

-------------------

```xml



    

        org.cyclonedx

        cyclonedx-maven-plugin

        

            library

            1.6

            true

            true

            true

            true

            true

            false

            false

            true

            all

            bom

            ${project.build.directory}

            false

        

    



```



`` default value is `library` but there are [more choices defined in the CycloneDX specification](https://cyclonedx.org/docs/1.6/json/#metadata_component_type).



See also [External References](https://cyclonedx.github.io/cyclonedx-maven-plugin/external-references.html) documentation for details on this topic.



Excluding Projects

-------------------

With `makeAggregateBom` goal, it is possible to exclude certain Maven reactor projects (aka modules) from getting included in the aggregate BOM:



* Pass `-DexcludeTestProject` to exclude any Maven module with artifactId containing the word "test"

* Pass `-DexcludeArtifactId=comma separated id` to exclude based on artifactId

* Pass `-DexcludeGroupId=comma separated id` to exclude based on groupId



Goals

-------------------

The CycloneDX Maven plugin contains the following three goals:

* `makeBom`: creates a BOM for each Maven module with its dependencies,

* `makeAggregateBom`: creates an aggregate BOM at build root (with dependencies from the whole multi-modules build), and eventually a BOM for each module,

* `makePackageBom`: creates a BOM for each Maven module with `war` or `ear` packaging.



By default, the BOM(s) will be attached as an additional artifacts with `cyclonedx` classifier (can be customized by setting `cyclonedx.classifier`) and `xml` or `json` extension during a Maven `install` or `deploy`:



* `${project.artifactId}-${project.version}-cyclonedx.xml`

* `${project.artifactId}-${project.version}-cyclonedx.json`



This may be switched off by setting `cyclonedx.skipAttach` to `true`.



Every goal can optionally be skipped completely by setting `cyclonedx.skip` to `true`.



## CycloneDX Schema Support



The following table provides information on the version of this Maven plugin, the CycloneDX schema version supported, 

as well as the output format options. Use the latest possible version of this plugin that is compatible with 

the CycloneDX version supported by the target system.



| Version | Schema Version | Format(s) |

|---------|----------------| --------- |

| 2.9.x   | CycloneDX v1.6 | XML/JSON |

| 2.8.x   | CycloneDX v1.5 | XML/JSON |

| 2.6.x   | CycloneDX v1.4 | XML/JSON |

| 2.5.x   | CycloneDX v1.3 | XML/JSON |

| 2.0.x   | CycloneDX v1.2 | XML/JSON |

| 1.4.x   | CycloneDX v1.1 | XML |

| 1.0x    | CycloneDX v1.0 | XML |



## Maven Plugin Documentation



The Maven plugin documentation can be viewed online at [https://cyclonedx.github.io/cyclonedx-maven-plugin/](https://cyclonedx.github.io/cyclonedx-maven-plugin/).



Copyright & License

-------------------



CycloneDX Maven Plugin is Copyright (c) OWASP Foundation. All Rights Reserved.



Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE] file for the full license.



[License]: https://github.com/CycloneDX/cyclonedx-maven-plugin/blob/master/LICENSE