The CycloneDX Maven plugin generates CycloneDX Software Bill of Materials (SBOM) containing the aggregate of all direct and transitive dependencies of a project. CycloneDX is a full-stack SBOM standard designed for use in application security contexts and supply chain component analysis.
<!-- uses default configuration -->
<plugins>
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>makeAggregateBom</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins><plugins>
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<configuration>
<projectType>library</projectType>
<schemaVersion>1.6</schemaVersion>
<includeBomSerialNumber>true</includeBomSerialNumber>
<includeCompileScope>true</includeCompileScope>
<includeProvidedScope>true</includeProvidedScope>
<includeRuntimeScope>true</includeRuntimeScope>
<includeSystemScope>true</includeSystemScope>
<includeTestScope>false</includeTestScope>
<includeLicenseText>false</includeLicenseText>
<outputReactorProjects>true</outputReactorProjects>
<outputFormat>all</outputFormat>
<outputName>bom</outputName>
<outputDirectory>${project.build.directory}</outputDirectory><!-- usually target, if not redefined in pom.xml -->
<verbose>false</verbose><!-- = ${cyclonedx.verbose} -->
</configuration>
</plugin>
</plugins><projectType> default value is library but there are more choices defined in the CycloneDX specification.
See also External References documentation for details on this topic.
With makeAggregateBom goal, it is possible to exclude certain Maven reactor projects (aka modules) from getting included in the aggregate BOM:
- Pass
-DexcludeTestProjectto exclude any Maven module with artifactId containing the word "test" - Pass
-DexcludeArtifactId=comma separated idto exclude based on artifactId - Pass
-DexcludeGroupId=comma separated idto exclude based on groupId
The CycloneDX Maven plugin contains the following three goals:
makeBom: creates a BOM for each Maven module with its dependencies,makeAggregateBom: creates an aggregate BOM at build root (with dependencies from the whole multi-modules build), and eventually a BOM for each module,makePackageBom: creates a BOM for each Maven module withwarorearpackaging.
By default, the BOM(s) will be attached as an additional artifacts with cyclonedx classifier (can be customized by setting cyclonedx.classifier) and xml or json extension during a Maven install or deploy:
${project.artifactId}-${project.version}-cyclonedx.xml${project.artifactId}-${project.version}-cyclonedx.json
This may be switched off by setting cyclonedx.skipAttach to true.
Every goal can optionally be skipped completely by setting cyclonedx.skip to true.
The following table provides information on the version of this Maven plugin, the CycloneDX schema version supported, as well as the output format options. Use the latest possible version of this plugin that is compatible with the CycloneDX version supported by the target system.
| Version | Schema Version | Format(s) |
|---|---|---|
| 2.9.x | CycloneDX v1.6 | XML/JSON |
| 2.8.x | CycloneDX v1.5 | XML/JSON |
| 2.6.x | CycloneDX v1.4 | XML/JSON |
| 2.5.x | CycloneDX v1.3 | XML/JSON |
| 2.0.x | CycloneDX v1.2 | XML/JSON |
| 1.4.x | CycloneDX v1.1 | XML |
| 1.0x | CycloneDX v1.0 | XML |
The Maven plugin documentation can be viewed online at https://cyclonedx.github.io/cyclonedx-maven-plugin/.
CycloneDX Maven Plugin is Copyright (c) OWASP Foundation. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.