Dont skip POM modules

[delanym]

I added the enforcer rule to my bom project, since that's where all the dependencies are set, but the rule is skipped. Can it rather not skip, or have an option to skip?

[DEBUG] Executing rule: org.sonatype.ossindex.maven.enforcer.BanVulnerableDependencies
[DEBUG] Skipping BanVulnerableDependencies; POM module

[jdillon]

Maven does not really do any resolution of dependencies for POM modules, hence why the invocation is skipped here.
You are much better off to use non-pom modules (ie. packaging=jar, etc) to inspect the dependencies that actually resolved and included as part of the dependency tree for that module.

[delanym]

I dont agree. If the dependencies are not resolved, they are nevertheless available for inspection. I dont want my bom project published to Nexus with known vulnerabilities. Blocking them at source is much more helpful. I only have to build the bom to see what vulnerabilities are affecting my platform. Otherwise I have to rebuild each project individually. It makes reporting more difficult.

The workaround Im using is to create a child module of the bom which depends on everything in the bom. (A kind of library bom that I use to source the dependencies for my distribution project). But then this is also a pom, so I have to create another (empty) jar project with this rule in it, and then configure the project to use the hacky installAtEnd/deployAtEnd to prevent the parent bom from publishing if vulnerabilities are found in its modules. It would be far simpler to fail on the bom itself.

Without this workaround I'd be forced to rebuild all my projects continually to check for vulnerabilities. Most of my projects don't change so there's no other reason to build them. But I'm continually rebuilding distributions - a pom project.