CycloneDX / cyclonedx-maven-plugin

Creates CycloneDX Software Bill of Materials (SBOM) from Maven projects
https://cyclonedx.org/
Apache License 2.0
297 stars 85 forks source link

Can 'externalReferences' be disabled? #531

Open jonnybecker opened 3 months ago

jonnybecker commented 3 months ago

I'm just wondering if 'externalReferences' can be disabled since they are optional?

My problem is, that I don't want this information in my bom since I don't want some internal company information "leaked".

The second problem which I have, that I don't get how the External Reference type 'website' is calculated. The documentation (https://cyclonedx.github.io/cyclonedx-maven-plugin/external-references.html) states, that is is taken from POM field 'project.url'. Now if the dependency has no 'project.url' itself, but its parent has one calculates the 'website' somethig like "website = parent 'project.url' + artifactId", which leads to odd urls. I wonder if this is a bug? Could not find any documentation on this behaviour.

hboutemy commented 3 months ago

I'm just wondering if 'externalReferences' can be disabled since they are optional?

no option has been prepared for that: I fear this could add a lot of complexity, without a use case until now

I don't want this information in my bom since I don't want some internal company information "leaked".

thinking at it, managing such expectation about redacting content is probably something that should be done as a post-processing step

somethig like "website = parent 'project.url' + artifactId", which leads to odd urls. I wonder if this is a bug? Could not find any documentation on this behaviour.

here is the documentation of the mechanism involved = inheritance: https://maven.apache.org/ref/3.9.8/maven-model-builder/#inheritance-assembly , which is one of the mechanisms about building effective POM

jonnybecker commented 3 months ago

Thanks for clearing things up