Built by Maven

Usage

Installation

This plugin by default analyzes the SBOM artifact attached to the build. To use it, add both the CycloneDX Maven Plugin and the SBOM Enforcer Maven Plugin to your build:

<plugins>
  <!-- Create SBOM using the CycloneDX Maven Plugin -->
  <plugin>
    <groupId>org.cyclonedx</groupId>
    <artifactId>cyclonedx-maven-plugin</artifactId>
    <version>2.9.1</version>
    <executions>
      <id>make-sbom</id>
      <goals>
        <goal>makeBom</goal>
      </goals>
    </executions>
  </plugin>

  <!-- Enforce quality of SBOM -->
  <plugin>
    <groupId>io.github.sbom-enforcer</groupId>
    <artifactId>sbom-enforcer-maven-plugin</artifactId>
    <version>{project-version}</version>
    <executions>
      <id>check-sbom</id>
      <goals>
        <goal>check</goal>
      </goals>
      <configuration>
        <!--(1)-->
        <!-- Plugin configuration goes here -->
      </configuration>
    </executions>
  </plugin>
</plugins>
  • For the plugin configuration see the examples below:

    • Verify dependency checksums

    Since the Maven local repository in ~/.m2/repository is used both as a cache for dependencies downloaded from remote repositories and a staging area for published artifacts, it might happen that the dependencies it contains differ from the originals in Maven Central. To make sure your SBOM checksums are correct, use this configuration:

    <configuration>
  <!-- Use a private local repository to prevent the usage of locally installed artifacts -->
  <usePrivateLocalRepo>true</usePrivateLocalRepo>
  <rules>
    <!-- Verify that checksums in the SBOM correspond to the downloaded dependencies -->
    <checksum/>
  </rules>
</configuration>

    For the configuration details see <checksum>.

    Verify links to external references

    To ensure that all the links included in the SBOM point to existing resources use:

    <configuration>
  <rules>
    <!-- Verify links of external references -->
    <validateReferences>
      <!-- Check also links in dependency components -->
      <checkDependencies>true</checkDependencies>
      <!-- Warn instead of failing if external references of dependencies are broken -->
      <failOnDependencies>false</failOnDependencies>
      <!-- Don't fail on authentication or authorization errors -->
      <failOnAuth>false</failOnAuth>
      <!-- Fail on 30x redirects -->
      <failOnRedirect>false</failOnRedirect>
      <!-- Maximum number of I/O errors per HTTP host -->
      <maxFailuresPerHost>3</maxFailuresPerHost>
      <!-- Timeout for the HTTP requests in ms -->
      <timeoutMs>5000</timeoutMs>

      <!-- Reference types to include. Empty means all -->
      <includes/>
      <!-- Reference types to exclude -->
      <excludes>
        <exclude>distribution-intake</exclude>
      </excludes>
    </validateReferences>
  </rules>
</configuration>

    All the configuration attributes are optional. The values above are the default values.

    For the configuration details see <validateReferences>.