Usage
Installation
This plugin by default analyzes the SBOM artifact attached to the build. To use it, add both the CycloneDX Maven Plugin and the SBOM Enforcer Maven Plugin to your build:
<plugins>
<!-- Create SBOM using the CycloneDX Maven Plugin -->
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<version>2.8.1</version>
<executions>
<id>make-sbom</id>
<goals>
<goal>makeBom</goal>
</goals>
</executions>
</plugin>
<!-- Enforce quality of SBOM -->
<plugin>
<groupId>io.github.sbom-enforcer</groupId>
<artifactId>sbom-enforcer-maven-plugin</artifactId>
<version>{project-version}</version>
<executions>
<id>check-sbom</id>
<goals>
<goal>check</goal>
</goals>
<configuration>
<!--(1)-->
<!-- Plugin configuration goes here -->
</configuration>
</executions>
</plugin>
</plugins>Verify dependency checksums
Since the Maven local repository in ~/.m2/repository is used both as a cache for dependencies downloaded from remote repositories and a staging area for published artifacts, it might happen that the dependencies it contains differ from the originals in Maven Central.
To make sure your SBOM checksums are correct use this configuration:
<configuration>
<!-- Force dependency update to prevent corrupted Maven cache -->
<forceDependencyUpdate>true</forceDependencyUpdate>
<rules>
<!-- Verify that checksums in the SBOM correspond to the downloaded dependencies -->
<checksum/>
</rules>
</configuration>Verify links to external references
To ensure that all the links included in the SBOM point to existing resources use:
<configuration>
<rules>
<!-- Verify links of external references -->
<validateReferences>
<!-- Don't fail on authentication or authorization errors -->
<failOnAuth>false</failOnAuth>
<!-- Warn instead of failing if external references of dependencies are broken -->
<failOnDependencyReferences>false</failOnDependencyReferences>
<!-- Fail on 30x redirects -->
<failOnRedirect>true</failOnRedirect>
</validateReferences>
</rules>
</configuration>