Hi, I have put together a simple project with a parent and two modules, each with their own dependencies. This has the same result in that the installed bom for each module includes the dependencies of the entire project reactor.
When I change the goal from 'makeAggregateBom' to 'makeBom' then I see the behaviour I expect. Each module has a bom that only includes the direct dependencies of the project module. This holds for the installed bom that is attached during install. I think the goal we require when building separate installed jar files in a multi module project is 'makeBom' and not 'makeAggregateBom'. The lack of documentation on the Cyclone DX website does not help distinguish the two. The fact that the default execution is 'makeAggregateBom' also does not help. If I directly add the Cyclone DX plugin config from CP 54 to Commons Statistics (but not via CP 54) but change the default execution from makeAggregateBom to makeBom, then the plugin works as I would expect. I have not tested this with a single module commons project. Alex On Tue, 20 Sept 2022 at 14:22, Gilles Sadowski <gillese...@gmail.com> wrote: > Hello. > > > [...] The installed bom has dependency > > information collated from other modules which are not actually > > dependencies. So the aggregation is bringing in dependencies incorrectly. > > This makes the BOM incorrect. > > [...] > > If that's the case, I suggest that this feature is disabled by default > in CP. RM should be aware that the release could contain wrong > information (which IMHO is worse than no information). > > Gilles > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
