Documentation for makeBom and makeAggregateBom

[msymons]

I ran into a problem using the goal makeAggregateBom and think that I have now solved it, giving the details below. If I got things right then perhaps this might help improve documentation. If I got things wrong, then I need to know that too!

I used the makeAggregateBom goal as detailed in the documentation and the result was that the goal was executed for every single module in the project. I did notice this, and realized that all my multiple generated BOM files were essentially the same thing (albeit with component ordering seeming to be different every time). This did not cause too big a problem in small projects (and I had no problem grabbing the "parent BOM" in Dependency-Track Plugin config).

However, the configuration fell over when applied to large projects because things took too long to run (the following console output shows absolute timestamps):

12:44:36 [INFO] --- cyclonedx-maven-plugin:1.3.1:makeAggregateBom (cyclonedx-aggregate) @ MyProject ---
12:45:46 [INFO] CycloneDX: Creating BOM

12:45:56 [INFO] --- cyclonedx-maven-plugin:1.3.1:makeAggregateBom (cyclonedx-aggregate) @ MyProjectModule1 ---
12:47:08 [INFO] CycloneDX: Creating BOM

12:47:15 [INFO] --- cyclonedx-maven-plugin:1.3.1:makeAggregateBom (cyclonedx-aggregate) @ MyProjectModule2 ---
12:48:23 [INFO] CycloneDX: Creating BOM

12:48:26 [INFO] --- cyclonedx-maven-plugin:1.3.1:makeAggregateBom (cyclonedx-aggregate) @ MyProjectModule3 ---
12:49:35 [INFO] CycloneDX: Creating BOM

12:49:43 [INFO] --- cyclonedx-maven-plugin:1.3.1:makeAggregateBom (cyclonedx-aggregate) @ MyProjectModule4 ---
12:50:53 [INFO] CycloneDX: Creating BOM

12:50:56 [INFO] --- cyclonedx-maven-plugin:1.3.1:makeAggregateBom (cyclonedx-aggregate) @ MyProjectModule5 ---
12:51:57 [INFO] CycloneDX: Creating BOM

12:52:00 [INFO] --- cyclonedx-maven-plugin:1.3.1:makeAggregateBom (cyclonedx-aggregate) @ MyProjectModule6 ---
12:52:51 [INFO] CycloneDX: Creating BOM

For a project with 46 modules this was increasing the total job run time by an hour!

My solution was to use the <inherited> tag thus:

<pluginManagement>
    <plugins>
        <plugin>
            <groupId>org.cyclonedx</groupId>
            <artifactId>cyclonedx-maven-plugin</artifactId>
            <version>1.3.1</version>
            <executions>
                <execution>
                    <id>cyclonedx-aggregate</id>
                    <phase>verify</phase>
                    <goals>
                        <goal>makeAggregateBom</goal>
                    </goals>
                </execution>
            </executions>
            <configuration>
                <includeCompileScope>true</includeCompileScope>
                <includeProvidedScope>true</includeProvidedScope>
                <includeRuntimeScope>true</includeRuntimeScope>
                <includeSystemScope>true</includeSystemScope>
                <includeTestScope>false</includeTestScope>
             </configuration>
         </plugin>
    </plugins>
</pluginManagement>
 
<plugins>
    <plugin>
        <groupId>org.cyclonedx</groupId>
        <artifactId>cyclonedx-maven-plugin</artifactId>
        <inherited>false</inherited>
     </plugin>
</plugins>

Now, this configuration worked for the project to which it was added... the goal ran once and once only and the resulting BOM was correct.

Additionally, this project parents many other projects. Thus, to those projects, all I had to do was use:

<plugin>
    <groupId>org.cyclonedx</groupId>
    <artifactId>cyclonedx-maven-plugin</artifactId>
    <inherited>false</inherited>
</plugin>

ie, "reset" things so that CycloneDX runs makeAggregateBom with inheritance turned off "at the right level" (does that make sense?).

One extra thing that I think would be useful to have in documentation is an explanation of makeBom and makeAggregateBom with a use case or two. Just to get people thinking of possibilities...

[ben-gineer]

I've just hit this. Thanks for the pointer.

[julien-carsique-sonarsource]

Here are my findings, trying to reduce the build time, keep makeAggregateBom (with its few additional info vs makeBom), and not fail into a submodule:

• makeAggregateBom + inherited=true + outputReactorProjects=true -> 07:16 min
  • maybe the plugin could do some optimization and reuse its previous work?
• makeAggregateBom + inherited=true + outputReactorProjects=false -> 07:07 min
  • no duplicate module build, but each module duplicates the whole list of components (vs previous output)
• makeAggregateBom + inherited=false -> 01:07 min
  • I got a build issue in some submodules because of a call to clean, due to tycho-p2-repository-plugin, making install fail; worked around by configuring maven-clean-plugin to ignore the BOM files
  • the results look good, with BOM files per modules
• makeAggregateBom + inherited=false + outputReactorProjects=false -> 01:09 min
  • never fail on submodules but outputs only one root BOM that aggregates everything

What is the recommended usage?
Is there a reason to use makeAggregateBom + inherited=true? If so, aren't there some possible improvements to avoid duplicated analyses and don't increase too much the build time? The results look the same between inherited being true and false.

[mbuchner]

Actually I have the same question as @julien-carsique-sonarsource
I also have a multi module build with 20+ modules and the build now takes ages ... (6 min vs 20 min)
What are the best settings for multi module builds?
I also couldn’t find a detailed explanation for "outputReactorProjects" -> what exactly does it do?
Thanks Max

[mbuchner]

And another question - what is the exact difference between makeBom and makeAggregateBom - could you provide some details in the Readme please ...

[Bragolgirith]

An entry in the README explaining exactly what makeAggregateBom and outputReactorProjects do and a sample best-practices configuration for a multi-module project would be great!

[faisal6621]

And another question - what is the exact difference between makeBom and makeAggregateBom - could you provide some details in the Readme please ...

@mbuchner going by the naming convention used in jacoco maven plugin I could understand that makeBom would be for a single module maven project while makeAggregateBom should be for the multi-module maven project. This is my thought only and author's intention may differ.

Also going by the documentation here: https://cyclonedx.github.io/cyclonedx-maven-plugin/makeBom-mojo.html and https://cyclonedx.github.io/cyclonedx-maven-plugin/makeAggregateBom-mojo.html there only one addition in makeAggregateBom is:

• Requires a Maven project to be executed.
• Executes as an aggregator plugin. <--- this one
• Requires dependency resolution of artifacts in scope: test.
• The goal is not marked as thread-safe and thus does not support parallel builds.
• Binds by default to the lifecycle phase: package.
• Requires that Maven runs in online mode.