You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@commons.apache.org by Gary Gregory <ga...@gmail.com> on 2022/09/22 20:30:21 UTC

CycloneDX for multimodule projects WAS: [VOTE][LAZY] Release Apache Commons Parent 54 based on RC1

I made the changes in 55-SNAPSHOT to the Maven plugin configuration from
'makeAggregateBom' to 'makeBom'.

Gary


---------- Forwarded message ---------
From: Gary Gregory <ga...@gmail.com>
Date: Wed, Sep 21, 2022, 14:45
Subject: Re: [VOTE][LAZY] Release Apache Commons Parent 54 based on RC1
To: Commons Developers List <de...@commons.apache.org>


Thank you Alex,

My plan is to proceed with 54 as is and continue toward getting single
and multiple module projects to work nicely from commons-parent for
55.

Gary

On Tue, Sep 20, 2022 at 5:00 PM Alex Herbert <al...@gmail.com>
wrote:
>
> Hi,
>
> I have put together a simple project with a parent and two modules, each
> with their own dependencies. This has the same result in that the
installed
> bom for each module includes the dependencies of the entire project
reactor.
>
> When I change the goal from 'makeAggregateBom' to 'makeBom' then I see the
> behaviour I expect. Each module has a bom that only includes the direct
> dependencies of the project module. This holds for the installed bom that
> is attached during install.
>
> I think the goal we require when building separate installed jar files in
a
> multi module project is 'makeBom' and not 'makeAggregateBom'. The lack of
> documentation on the Cyclone DX website does not help distinguish the two.
> The fact that the default execution is 'makeAggregateBom' also does not
> help.
>
> If I directly add the Cyclone DX plugin config from CP 54 to Commons
> Statistics (but not via CP 54) but change the default execution from
> makeAggregateBom to makeBom, then the plugin works as I would expect.
>
> I have not tested this with a single module commons project.
>
> Alex
>
>
> On Tue, 20 Sept 2022 at 14:22, Gilles Sadowski <gi...@gmail.com>
wrote:
>
> > Hello.
> >
> > > [...] The installed bom has dependency
> > > information collated from other modules which are not actually
> > > dependencies. So the aggregation is bringing in dependencies
incorrectly.
> > > This makes the BOM incorrect.
> > > [...]
> >
> > If that's the case, I suggest that this feature is disabled by default
> > in CP.  RM should be aware that the release could contain wrong
> > information (which IMHO is worse than no information).
> >
> > Gilles
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
> >