Exclude Projects not working as expected when running goal 'makeAggregateBom'

[arkajnag23]

When I running maven command line with mvn clean org.cyclonedx:cyclonedx-maven-plugin:2.8.1:makeAggregateBom using -DexcludeGroupId or -DexcludeArtifactId doesn't seem to ignore the required artifacts from the final generated SBOMs.

withMaven(jdk: jdk17Version, maven: mvnVersion, mavenLocalRepo: '.repository', mavenSettingsConfig: 'test-support') {
    sh """mvn clean org.cyclonedx:cyclonedx-maven-plugin:2.8.1:makeAggregateBom \
        -DincludeCompileScope=true \
        -DincludeProvidedScope=false \
        -DincludeTestScope=false \
        -DincludeRuntimeScope=true \
        -DincludeLicenseText=true \
        -DoutputName=m3bc-onpremise-sbom \
        -DoutputFormat=json \
        -DoutputDirectory="${WORKSPACE}" \
        -DexcludeGroupId=com.eventhub"""
}

-DexcludeGroupId=com.eventhub didn't ignore the artifact and still available in released SBOM.

{
      "group" : "com.eventhub",
      "name" : "eventhub-publisher",
      "version" : "2.3.6",
      "description" : "Parent POM for Grid-based products",
      "scope" : "required",
      "hashes" : [
        {
          "alg" : "MD5",
          "content" : "709a221c3b3a71a8a4d9eb084a0ef055"
        },
        {
          "alg" : "SHA-1",
          "content" : "56fd3bdfcf746dc619bc70acde3b3754d34e33aa"
        },
        {
          "alg" : "SHA-256",
          "content" : "e56e21ed9f31d8260291c1254d8be5f27f408f1c5bec850ab02c9c0ae4827b85"
        },
        {
          "alg" : "SHA-512",
          "content" : "52cf07c7e2aea63b76f9c3b7f67853e22b84afcdaf0a9ac0589fdd01173bf61165d80befb25ee0411e8bccaa28eea909bd7d6dae03c52da51ddb483036515b33"
        },
        {
          "alg" : "SHA-384",
          "content" : "265eaf3f02d32a194b9fe9da40581945724969f317563fb93c497c6deaaf4605efe10986f73e3eda932b1f99b323af36"
        },
        {
          "alg" : "SHA3-384",
          "content" : "82b105f9048be5afab36f02dd6133593a58fe31f13381f136542375632c225940cb0a165dc9ca1fbbb0394539622142c"
        },
        {
          "alg" : "SHA3-256",
          "content" : "dc2ec691fbbbbc394d5d48749e05b48419364264476880602e8c3a100c800f34"
        },
        {
          "alg" : "SHA3-512",
          "content" : "0aa620a9480d536b5c390a9ba468c01d984456f1c94258ba804ec2383f8abfa2a0f92d153cabceb88ab5fb3056f7189aa1a6ed83efadb7bf7ec2d47289ac6a40"
        }

[hboutemy]

are your trying to exclude a dependency? or a project from the multi-module build as this parameter is about: https://github.com/CycloneDX/cyclonedx-maven-plugin?tab=readme-ov-file#excluding-projects ?

said another way: are you really building a Maven multi-module project that combines multiple groupIds, including com.eventhub = the modules you want to avoid?

[arkajnag23]

Yes, it is a multi-module maven project. Say the core parent pom has the group id as event-hub and all the child modules follow the same parent group. But each module has its own dependencies which are external libraries. My aim is to exclude all the groups which are internal to the company and only include those which are external or open sourced.

The above example shared in my post was an example group-id, it can be several other dependencies (client libraries) which I want to exclude when running cyclonedx goal.

[arkajnag23]

I don't want to exclude the whole project, then it will ignore or exclude all the dependencies. Only specific group-ids so that all the artifacts falling within that group will be automatically exclude when scanned

[hboutemy]

oh, I did not expect that one: you have a private multi-module project and want to ship a unique aggregate SBOM that does not list the different (private) modules but only the aggregation of their dependencies? that's it? it's an objective of hiding private internal details, but just share the global (external) dependencies? redacted aggregate SBOM?

we should probably write a sample with 1 parent and 3 modules, and a few dependencies (not many, because we need to keep it simple) we could probably describe actual output of https://github.com/CycloneDX/cyclonedx-maven-plugin/tree/master/src/it/makeAggregateBom and expected redacted output

one question on you use case: are you expecting to do this one day with configuration in pom.xml and run with mvn verify , or always only on command line mvn -D.... cyclonedx-maven-plugin:makeAggregateBom? is there a reason for staying with command line approach only?

[arkajnag23]

@hboutemy i have a custom maven goal which internally calls the cyclonedx goals with maven executor plugin where I pass the different parameters. And this goal is invoked by our Jenkins builds and builds are triggered by 45 application teams with their own multi-module project