-
-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bom generations takes a very long time for multi-module projects #259
Comments
CycloneDX Maven Plugin v2.7.4 solves the performance issue. I'd highly recommend upgrading to that version, which also includes many other improvements. |
Hello @stevespringett I tried upgrading to v2.7.4 as you suggested, but that caused the project to crash with the following errors:
|
I have exactly the same error with org.xerial.snappy if anyone has a solution I'm interested. |
given the error message, it's a protection by Maven 3.8+ against downloading dependencies from HTTP repositories (instead of secure HTTPS): see https://maven.apache.org/docs/3.8.1/release-notes.html for details Can you try building with Maven 3.6.3 and confirm it works? Notice I'm surprised that with the same Maven version, you can run older cyclonedx-maven-plugin version but not 2.7.4: AFAIK, it should do the same work at that level... If you can share a sample project to reproduce, this would help a lot investigating |
Greetings @hboutemy and thank you for your reply. Unfortunately I cannot downgrade to Maven 3.6.3, as the project uses jdk17. Still receiving errors regarding
I am afraid I cannot share a sample as well, since it's a private project. I also do not understand why this is connected with the cyclonedx version in any way Thanks again |
Signed-off-by: Hervé Boutemy <hboutemy@apache.org>
ok, reading
I just tried adding this I now understand that it is a warning in the build output, it does not fail the build nor makes an invalid BOM content, even if that trace is frightening (was probably hidden exception in previous releases) we should probably open a separate issue with an adapted description, instead of hijacking the current "Bom generations takes a very long time for multi-module projects" |
closing this issue as performance issue was fixed in 2.7.4 |
FYI #306 drastically improves the performance of the aggregate bom generation, it took one of our complex builds down from ~30 mins to around 2 mins. |
Hello guys.
I have a multi-module project (~60 sub-modules), for which I need to generate a bom.xml file, in order to upload it to a Dependency Track instance.
Using the default configuration, made me realize that cyclonedx was generating a bom file for each and every submodule, as well as a centralized one at the parent level. This behavior, caused the bom generation process to take about 15 minutes to complete, while the actual project built takes half that time.
After some research, I came across the
inherited
property which I then disabled, in order for cyclonedx to only generate a centralized bom file, and not several, seperate ones. However, this reduced the bom generation time only a bit: it dropped from 15 to 10 minutes.My current configuration (inside the parent pom.xml), is as-follows:
Is there anything else I could do in order to further reduce the bom generation times?
I haven't been able to find any other solutions so far.
Thank you very much in advance,
Jenny
The text was updated successfully, but these errors were encountered: