Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[409] Removes non-deployed artifacts from SBOM #416

Merged
merged 1 commit into from
Oct 27, 2023

Conversation

ppkarwasz
Copy link
Contributor

This PR detects reactor artifacts that are neither deployed by maven-deploy-plugin nor nexus-staging-maven-plugin. These artifacts will:

  • not appear as dependencies in the aggregate BOM,
  • not generate BOMs.

This change is required by our /apache/logging-log4j2#1707 goal.

Fixes #409.

This PR detects reactor artifacts that are neither deployed by
`maven-deploy-plugin` nor `nexus-staging-maven-plugin`. These artifacts
will:
 * not appear as dependencies in the aggregate BOM,
 * not generate BOMs.

Fixes CycloneDX#409.

Signed-off-by: Piotr P. Karwasz <piotr.github@karwasz.org>
@vy
Copy link
Contributor

vy commented Oct 27, 2023

@ppkarwasz, great job! 💯 I see you check against maven.deploy.skip and skipNexusStagingDeployMojo Maven properties. What if the user provides <skip>true</skip> in the maven-deploy-plugin (or nexus-staging-maven-plugin) configuration? Is this case also covered?

@ppkarwasz
Copy link
Contributor Author

@vy,

Yes, <configuration><skip>true</skip></configuration> is also supported.

I am no Maven expert, but assuming that PluginExecution#getConfiguration returns the merged configuration from all sources (parent POM, plugin management, the default configuration for all executions), most use cases should be covered.

The support for the <skip>release</skip> and <skip>snapshots</skip> configurations is omitted for simplicity.

@hboutemy hboutemy merged commit e774f12 into CycloneDX:master Oct 27, 2023
4 checks passed
@hboutemy
Copy link
Contributor

great job, thank you

@ppkarwasz ppkarwasz deleted the non-deployed branch October 27, 2023 20:13
@mszalbach
Copy link

Is there a possibility to disable this feature? I have a multi module project where it is not important to deploy the child (and this is disabled because of some other issues in the build structure) but I need the SBOM which will then be packaged in a zip file which will be deployed.

@lcappuccio
Copy link

agree with @mszalbach , it should be up to the user to decide if this feature is to be used or not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Parent BOM contains not deployed/installed modules
5 participants