Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cyclonedx-maven-plugin 2.7.11 generates SBOM 1.4 when configuring 1.5 schemaVersion #469

Closed
ilopezv opened this issue Feb 28, 2024 · 1 comment · Fixed by #479
Closed

cyclonedx-maven-plugin 2.7.11 generates SBOM 1.4 when configuring 1.5 schemaVersion #469

ilopezv opened this issue Feb 28, 2024 · 1 comment · Fixed by #479
Labels
bug

Comments

@ilopezv
Copy link

ilopezv commented Feb 28, 2024

cyclonedx-maven-plugin 2.7.11 generates SBOM 1.4 when 1.5 schemaVersion is configured.

Following config was applied in pom.xml:

      <plugin>
        <groupId>org.cyclonedx</groupId>
        <artifactId>cyclonedx-maven-plugin</artifactId>
        <version>2.7.11</version>
        <configuration>
          <schemaVersion>1.5</schemaVersion>
        </configuration>
        <executions>
          <execution>
            <goals>
              <goal>makeAggregateBom</goal>
            </goals>
            <phase>package</phase>
          </execution>
        </executions>
      </plugin>

producing the following output:

[INFO] --- cyclonedx-maven-plugin:2.7.11:makeAggregateBom (default) @ email ---
[INFO] CycloneDX: Resolving Dependencies
[INFO] CycloneDX: Creating BOM version 1.5 with 219 component(s)
[INFO] CycloneDX: Writing and validating BOM (XML): C:\workspace\email\target\bom.xml
[INFO]            attaching as email-1.3.6-SNAPSHOT-cyclonedx.xml
[INFO] CycloneDX: Writing and validating BOM (JSON): C:\workspace\email\target\bom.json
[WARNING] Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword
[INFO]            attaching as email-1.3.6-SNAPSHOT-cyclonedx.json

But bom.json/bom.xml generated still show CycloneDX 1.4 schema

{
  "bomFormat" : "CycloneDX",
  "specVersion" : "1.4",
  "serialNumber" : "urn:uuid:0de9d361-4247-3818-b72e-7139f0a91dee",
  "version" : 1,
  "metadata" : {
    "timestamp" : "2024-02-28T08:46:51Z",

<?xml version="1.0" encoding="UTF-8"?>
<bom serialNumber="urn:uuid:0de9d361-4247-3818-b72e-7139f0a91dee" version="1" xmlns="http://cyclonedx.org/schema/bom/1.4">
@hboutemy
Copy link
Contributor

2.7.11 does not support CDX 1.5 yet, 2.8 will: then no surprise on the content of generated files
but I'd expect the goal to reject configuring 1.5 instead of saying

[INFO] CycloneDX: Creating BOM version 1.5 with 219 component(s)

@hboutemy hboutemy added the bug label Mar 14, 2024
hboutemy added a commit that referenced this issue Mar 20, 2024
@hboutemy
check if configured schemaVersion is supported
730be34 
fixes #469
@hboutemy hboutemy mentioned this issue Mar 20, 2024
Merged
hboutemy added a commit that referenced this issue Mar 20, 2024
@hboutemy
check if configured schemaVersion is supported
7c4e627 
fixes #469

Signed-off-by: Hervé Boutemy <[email protected]>
hboutemy added a commit that referenced this issue Mar 20, 2024
@hboutemy
check if configured schemaVersion is supported
343c62d 
fixes #469

Signed-off-by: Hervé Boutemy <[email protected]>
@tchinchow tchinchow mentioned this issue Apr 17, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

check if configured schemaVersion is supported CycloneDX/cyclonedx-maven-plugin
2 participants
@hboutemy @ilopezv