The CycloneDX Maven plugin creates an aggregate of all dependencies and transitive dependencies of a project and creates a valid CycloneDX bill-of-material document from the results. CycloneDX is a lightweight BOM specification that is easily created, human readable, and simple to parse.
<!-- uses default configuration -->
<plugins>
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<version>1.5.1</version>
</plugin>
</plugins><plugins>
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<version>1.5.1</version>
<executions>
<execution>
<phase>verify</phase>
<goals>
<goal>makeAggregateBom</goal>
</goals>
</execution>
</executions>
<configuration>
<schemaVersion>1.1</schemaVersion>
<includeBomSerialNumber>true</includeBomSerialNumber>
<includeCompileScope>true</includeCompileScope>
<includeProvidedScope>true</includeProvidedScope>
<includeRuntimeScope>true</includeRuntimeScope>
<includeSystemScope>true</includeSystemScope>
<includeTestScope>false</includeTestScope>
<includeDependencyGraph>true</includeDependencyGraph>
<includeLicenses>true</includeLicenses>
</configuration>
</plugin>
</plugins>As of v1.4.0, the default CycloneDX BOM format is v1.1 with included serial number.
The CycloneDX Maven plugin contains the following two goals:
- makeBom
- makeAggregateBom
makeBom and makeAggregateBom can optionally be skipped by setting cyclonedx.skip to true.
CycloneDX Maven Plugin is Copyright (c) Steve Springett. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.