Built by Maven

Rules

By default, the SBOM Enforcer Maven Plugin offers the following rules.

<checksum>

Description:

The checksum rules does not have any configuration option and verifies that the checksums included in the SBOM are correct. Since the Maven local repository is used both as cache for consumed artifacts and staging area for published artifacts, it might happen that its content differs from the originals on Maven Central.

Tip:

This rule is mostly useful in a release profile, together with the usePrivateLocalRepo plugin parameter.

Example:

See Verify dependency checksums for a usage example.

<validateReferences>

Description:

The validateReferences rule checks the URLs contained in your SBOM file to look for broken links.

Example:

See Verify links to external references for a usage example.

Optional Parameters

Name Type Since Description
<checkDependencies> boolean 0.2.0 If true, the rule will also check the external references from dependency components.
Default: true
<failOnDependencies> boolean 0.2.0 If true, the build will also fail if a broken link is encountered in a dependency component.
Otherwise, the problem is only logged.
Default: false
<failOnRedirect> boolean - If true, the rule will fail if any reference returns a 301 or 302 code.
Default: false
<failOnAuth> boolean - If true, the rule will fail if any reference returns a 401 or 403 code.
Default: false
<maxFailuresPerHost> int 0.2.0 Maximum number of IO errors for each HTTP domain.
Default: 3
<timeoutMs> int 0.2.0 Maximum number of milliseconds to wait for each URL.
Default: 5000
<includes> List<String> 0.2.0 Set of external reference types to include in the check.
If empty, all types will be checked.
Default: empty
<excludes> List<String> 0.2.0 Set of external reference types to exclude from the check.
Default: [distribution-intake]

Parameter details

<checkDependencies>

If true, the rule will also check the external references from dependency components.

  • Type: boolean
  • Required: No
  • Default: true

<failOnDependencies>

If true, the build will also fail if a broken link is encountered in a dependency component. Otherwise, the problem is only logged.

  • Type: boolean
  • Required: No
  • Default: false

<failOnRedirect>

If true, the rule will fail if any reference returns a 301 or 302 code.

  • Type: boolean
  • Required: No
  • Default: false

<failOnAuth>

If true, the rule will fail if any reference returns a 401 or 403 code.

  • Type: boolean
  • Required: No
  • Default: false

<maxFailuresPerHost>

Maximum number of IO errors for each HTTP domain. After the limit has been reached, the rule will ignore links to that HTTP domain.

  • Type: int
  • Required: No
  • Default: 3

<timeoutMs>

Maximum number of milliseconds to wait for each URL.

  • Type: int
  • Required: No
  • Default: 5000

<includes>

Set of external reference types to include in the check. If empty, all types will be checked.

  • Type: List<String>
  • Required: No
  • Default: empty

<excludes>

Set of external reference types to exclude from the check. The default is equivalent to:

<excludes>
  <exclude>distribution-intake</exclude>
</excludes>

The distribution-intake external reference is usually protected by authentication and is not useful for the consumers of an artifact.

  • Type: List<String>
  • Required: No
  • Default: [distribution-intake]