Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

externalReference: Cannot convert 'static-analysis-report' to Enum #463

Closed
msymons opened this issue Jan 29, 2024 · 2 comments · Fixed by #480
Closed

externalReference: Cannot convert 'static-analysis-report' to Enum #463

msymons opened this issue Jan 29, 2024 · 2 comments · Fixed by #480
Assignees

Comments

@msymons
Copy link
Contributor

msymons commented Jan 29, 2024

plugin v2.7.11 added support for custom External References via #428.

Following the documentation I initially added the following to configuration section of pluginManagement entry for plugin:

                        <externalReferences>
                            <externalReference>
                                <type>static-analysis-report</type>
                                <url>https://foo.bar.com</url>
                                <comment>SonarQube</comment>
                            </externalReference>
                        </externalReferences>

...and got the following error:

[2024-01-29T17:15:05.211Z] [ERROR] Failed to execute goal org.cyclonedx:cyclonedx-maven-plugin:2.7.11:makeAggregateBom (default-cli) on project xxx-yyy: Unable to parse configuration of mojo org.cyclonedx:cyclonedx-maven-plugin:2.7.11:makeAggregateBom for parameter externalReference: Cannot convert 'static-analysis-report' to Enum: No enum constant org.cyclonedx.model.ExternalReference.Type.static-analysis-report -> [Help 1]

I then noticed line at bottom of documentation:

Notice that the type value in the plugin configuration refers to a CycloneDX Core (Java) library constant name corresponding to CycloneDX type

...so I tried STATIC_ANALYSIS_REPORT for type, but got the same error.

Aside: I do think that the value of type should match what is in the CycloneDX documentation (eg the guide) as that makes it easier to expect common behaviour across plugins from different ecosystems (gradle, etc). This could be important when a Jenkins server is providing type as a variable at build time.

@hboutemy
Copy link
Contributor

hboutemy commented Jan 30, 2024

2.7.11 only supports CycloneDX 1.4
you'll have to wait for 2.8.0 to use this 1.5 value
(yes, the documentation for 2.8.0-SNAPSHOT is published before the release is done...)

@msymons
Copy link
Contributor Author

msymons commented Feb 1, 2024

@hboutemy, thank you for the clarification. I performed a bunch more testing and got the new functionality working, such that I now have Dependency-Track (which consumes all my SBOMS) succesfully displaying additional external references that were configured in the plugin v2.7.11

I think it would help if the documentation specifically mentioned the version limitation and that new external references are introduced with new versions of the specification... I can think of at least two new ones that will be added in CycloneDX v1.6.

Now that I have succesfully tested the functionality, I confirmed that Enum Constants are required and actual type (per the specification) gives an error and breaks the build. ie, CHAT works and chat fails. I know that this would require extra code but I really do think that it is important to allow configuration to specify the actual type. This will help ensure consistency in build environments that have scripted pipelines with Java jobs alongside npm, etc. Should I log this as a separate enhancement issue so that this issue (463) can be resolved with a simple documentation tweak?

As an aside, testing the new external references functionality inspired me to log CycloneDX/guides/issues/14

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants