Include Parent in Materials List

[bcoveny]

Is there currently a feature to include the parent and plugins in the bill of materials? Certain versions of a parent could be known to be an issue in generating projects and to be able to tell where the Parent is used via the BOM would be preferred. If in the BOM I would think it would be optimal to search in Dependency track for these tainted parents or plugins.

[stevespringett]

When running makeAggregateBom from the parent, it should be included in the inventory. Test dependencies can be included as well. Plugins currently are not included and I think that would be a great enhancement.

[bcoveny]

Hi @stevespringett,

Thank you for a quick response.

When I use makeAggregateBom it includes the dependencies from the parent (and in our case the parent of the parent), however, it doesn't include the parent itself.

For example:

parent-pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0"
		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>

        <groupId>org.mycompany</groupId>
	<artifactId>parent</artifactId>
	<version>1.0.0</version>

        <dependencies>
              <dependency>
                      <groupId>org.mycompany</groupId>
                      <artifactId>artifact-a</artifactId>
                      <version>1.0.0</version>
              </dependency>
        </dependencies>
</project>

project-pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0"
		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
	<modelVersion>4.0.0</modelVersion>

        <parent>
            <groupId>org.mycompany</groupId>
            <artifactId>parent</artifactId>
             <version>1.0.0</version>
        </parent>

	<artifactId>project</artifactId>
	<version>1.0.0</version>

        <dependencies>
              <dependency>
                      <groupId>org.mycompany</groupId>
                      <artifactId>artifact-b</artifactId>
                      <version>1.0.0</version>
              </dependency>
        </dependencies>
</project>

Basically what I see is when running the makeAggregateBom on the project-pom.xml it creates a bom.json which contains:

• org.mycompany:artifact-a:1.0.0
• org.mycompany:artifact-b:1.0.0

I was hoping it would also include:

• org.mycompany:parent:1.0.0

A workaround that I just tested was if I add the parent in the dependency section as well then it is included into the bom.json.
However, would prefer it be added without the additional dependency since you would have to update the versions in multiple spots then.

Hopefully I am demonstrating my thinking about this correctly.

Also, would you like me create a separate issue for the enhancement for including plugins?

Thanks
Bruce

[stevespringett]

Also, would you like me create a separate issue for the enhancement for including plugins?

yes, that would be ideal. I think implementation of it would likely have to wait until CycloneDX/specification#31 is implemented in the spec, but we can use Maven plugin case to drive some of the use cases.