Add a configuration option to skip undeployed artifacts

This adds a `<skipNotDeployed>` plugin configuration option. If set to `false`, even artifacts that do not have a deploy execution are used to generate the SBOM. Closes #430 Signed-off-by: Piotr P. Karwasz <piotr.github@karwasz.org>
CycloneDX · Dec 13, 2023 · e6b6af2 · e6b6af2
1 parent 2e2afc6
commit e6b6af2
Show file tree

Hide file tree

Showing 7 changed files with 127 additions and 11 deletions.
diff --git a/src/it/makeAggregateBom/skipped/deploy-config-force/pom.xml b/src/it/makeAggregateBom/skipped/deploy-config-force/pom.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ This file is part of CycloneDX Maven Plugin.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+ SPDX-License-Identifier: Apache-2.0
+ Copyright (c) OWASP Foundation. All Rights Reserved.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+ <modelVersion>4.0.0</modelVersion>
+
+ <parent>
+ <groupId>org.cyclonedx.its</groupId>
+ <artifactId>skipped</artifactId>
+ <version>1.0-SNAPSHOT</version>
+ </parent>
+ <artifactId>deploy-config-force</artifactId>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.cyclonedx</groupId>
+ <artifactId>cyclonedx-maven-plugin</artifactId>
+ <configuration>
+ <skipNotDeployed>false</skipNotDeployed>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-deploy-plugin</artifactId>
+ <version>3.1.1</version>
+ <configuration>
+ <skip>true</skip>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+</project>
diff --git a/src/it/makeAggregateBom/skipped/deploy-property-force/pom.xml b/src/it/makeAggregateBom/skipped/deploy-property-force/pom.xml
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ This file is part of CycloneDX Maven Plugin.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
+ SPDX-License-Identifier: Apache-2.0
+ Copyright (c) OWASP Foundation. All Rights Reserved.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+ <modelVersion>4.0.0</modelVersion>
+
+ <parent>
+ <groupId>org.cyclonedx.its</groupId>
+ <artifactId>skipped</artifactId>
+ <version>1.0-SNAPSHOT</version>
+ </parent>
+ <artifactId>deploy-property-force</artifactId>
+
+ <properties>
+ <maven.deploy.skip>true</maven.deploy.skip>
+ <cyclonedx.skipNotDeployed>false</cyclonedx.skipNotDeployed>
+ </properties>
+</project>
diff --git a/src/it/makeAggregateBom/skipped/pom.xml b/src/it/makeAggregateBom/skipped/pom.xml
@@ -31,7 +31,9 @@
 
  <modules>
  <module>deploy-property</module>
+ <module>deploy-property-force</module>
  <module>deploy-config</module>
+ <module>deploy-config-force</module>
  <module>nexus-property</module>
  <module>nexus-config</module>
  </modules>

diff --git a/src/it/makeAggregateBom/verify.groovy b/src/it/makeAggregateBom/verify.groovy
@@ -30,6 +30,8 @@ assertBomFiles("impls/target/bom", false)
 assertBomFiles("impls/impl-A/target/bom", false)
 assertBomFiles("impls/impl-B/target/bom", false)
 assertBomFiles("skipped/target/bom", false)
+assertBomFiles("skipped/deploy-config-force/target/bom", false)
+assertBomFiles("skipped/deploy-property-force/target/bom", false)
 
 assertNoBomFiles("skipped/deploy-config/target/bom")
 assertNoBomFiles("skipped/deploy-property/target/bom")
@@ -38,16 +40,16 @@ assertNoBomFiles("skipped/nexus-property/target/bom")
 
 var buildLog = new File(basedir, "build.log").text
 
-assert 13 == (buildLog =~ /\[INFO\] CycloneDX: Resolving Dependencies/).size()
+assert 17 == (buildLog =~ /\[INFO\] CycloneDX: Resolving Dependencies/).size()
 assert 2 == (buildLog =~ /\[INFO\] CycloneDX: Resolving Aggregated Dependencies/).size()
 
-// 15 = 7 modules for main cyclonedx-makeAggregateBom execution
+// 19 = 9 modules for main cyclonedx-makeAggregateBom execution
 // + 1 for root module cyclonedx-makeAggregateBom-root-only execution
-// + 7 modules for additional cyclonedx-makeBom execution
-assert 15 == (buildLog =~ /\[INFO\] CycloneDX: Writing and validating BOM \(XML\)/).size()
-assert 15 == (buildLog =~ /\[INFO\] CycloneDX: Writing and validating BOM \(JSON\)/).size()
-// cyclonedx-makeAggregateBom-root-only execution skips 5 non-root modules
-assert 6 == (buildLog =~ /\[INFO\] Skipping CycloneDX on non-execution root/).size()
+// + 9 modules for additional cyclonedx-makeBom execution
+assert 19 == (buildLog =~ /\[INFO\] CycloneDX: Writing and validating BOM \(XML\)/).size()
+assert 19 == (buildLog =~ /\[INFO\] CycloneDX: Writing and validating BOM \(JSON\)/).size()
+// cyclonedx-makeAggregateBom-root-only execution skips 7 non-root modules
+assert 8 == (buildLog =~ /\[INFO\] Skipping CycloneDX on non-execution root/).size()
 
 // [WARNING] artifact org.cyclonedx.its:api:xml:cyclonedx:1.0-SNAPSHOT already attached, replace previous instance
 assert 0 == (buildLog =~ /-SNAPSHOT already attached, replace previous instance/).size()
@@ -72,6 +74,8 @@ assertBomEqualsNonAggregate("util/target/bom")
 assertBomEqualsNonAggregate("impls/target/bom")
 assertBomEqualsNonAggregate("impls/impl-A/target/bom")
 assertBomEqualsNonAggregate("impls/impl-B/target/bom")
+assertBomEqualsNonAggregate("skipped/deploy-config-force/target/bom")
+assertBomEqualsNonAggregate("skipped/deploy-property-force/target/bom")
 
 // dependencies for root component in makeAggregateBom is the list of modules
 String bom = new File(basedir, 'target/bom.xml').text

diff --git a/src/main/java/org/cyclonedx/maven/BaseCycloneDxMojo.java b/src/main/java/org/cyclonedx/maven/BaseCycloneDxMojo.java
@@ -278,9 +278,18 @@ protected boolean shouldSkip() {
  return Boolean.parseBoolean(System.getProperty("cyclonedx.skip", Boolean.toString(skip)));
  }
 
+ protected String getSkipReason() {
+ return null;
+ }
+
  public void execute() throws MojoExecutionException {
  if (shouldSkip()) {
- getLog().info("Skipping CycloneDX");
+ final String skipReason = getSkipReason();
+ if (skipReason != null) {
+ getLog().info("Skipping CycloneDX goal, because " + skipReason);
+ } else {
+ getLog().info("Skipping CycloneDX goal");
+ }
  return;
  }
  logParameters();
@@ -490,7 +499,7 @@ protected void populateComponents(final Set<String> topLevelComponents, final Ma
  *
  * @return Component.Scope - REQUIRED, OPTIONAL or null if it cannot be determined
  *
- * @see detectUnusedForOptionalScope
+ * @see #detectUnusedForOptionalScope
  */
  private Component.Scope getComponentScope(Artifact artifact, ProjectDependencyAnalysis projectDependencyAnalysis) {
  if (detectUnusedForOptionalScope) {

diff --git a/src/main/java/org/cyclonedx/maven/CycloneDxAggregateMojo.java b/src/main/java/org/cyclonedx/maven/CycloneDxAggregateMojo.java
@@ -91,7 +91,7 @@ protected boolean shouldExclude(MavenProject mavenProject) {
  if (excludeTestProject && mavenProject.getArtifactId().contains("test")) {
  shouldExclude = true;
  }
- if (!BaseCycloneDxMojo.isDeployable(mavenProject)) {
+ if (skipNotDeployed && !BaseCycloneDxMojo.isDeployable(mavenProject)) {
  shouldExclude = true;
  }
  return shouldExclude;

diff --git a/src/main/java/org/cyclonedx/maven/CycloneDxMojo.java b/src/main/java/org/cyclonedx/maven/CycloneDxMojo.java
@@ -47,6 +47,14 @@
 )
 public class CycloneDxMojo extends BaseCycloneDxMojo {
 
+ /**
+ * Only runs this goal if the module does not skip deploy.
+ *
+ * @since 2.8.0
+ */
+ @Parameter(property = "cyclonedx.skipNotDeployed", defaultValue = "true", required = false)
+ protected boolean skipNotDeployed = true;
+
  /**
  * Specify the Maven project dependency analyzer to use (plexus component role-hint). By default,
  * <a href="https://maven.apache.org/shared/maven-dependency-analyzer/">maven-dependency-analyzer</a>'s one
@@ -97,7 +105,15 @@ protected ProjectDependencyAnalysis doProjectDependencyAnalysis(final MavenProje
  @Override
  protected boolean shouldSkip() {
  // The list of artifacts would be empty
- return super.shouldSkip() || !isDeployable(getProject());
+ return super.shouldSkip() || skipNotDeployed && !isDeployable(getProject());
+ }
+
+ @Override
+ protected String getSkipReason() {
+ if (super.shouldSkip()) {
+ return super.getSkipReason();
+ }
+ return "module skips deploy";
  }
 
  protected String extractComponentsAndDependencies(final Set<String> topLevelComponents, final Map<String, Component> components, final Map<String, Dependency> dependencies) throws MojoExecutionException {