spdx / spdx-maven-plugin Goto Github PK

Plugin for supporting SPDX in a Maven build.

License: Apache License 2.0

Groovy 0.05% Java 99.95%

spdx-maven-plugin's Introduction

SPDX Maven Plugin is a plugin to Maven which produces Software Package Data Exchange (SPDX) documents for artifacts described in the POM file.

Goal Overview

spdx:createSPDX creates an SPDX document for artifacts defined in the POM file. It will replace any existing SPDX documents.

Code quality badges

| | | | |

Usage

In the build plugins section, add the plugin with createSPDX goal:

    <plugin>
        <groupId>org.spdx</groupId>
        <artifactId>spdx-maven-plugin</artifactId>
        <!-- please check for updates on https://search.maven.org/search?q=a:spdx-maven-plugin -->
        <version>0.6.5</version>
        <executions>
            <execution>
                <id>build-spdx</id>
                <goals>
                    <goal>createSPDX</goal>
                </goals>
            </execution>
        </executions>
        <configuration>
          <excludedFilePatterns>
            <excludedFilePattern>*.spdx</excludedFilePattern>
          </excludedFilePatterns>
          <!-- See documentation below for additional configuration -->
        </configuration>
    </plugin>

Then invoke with mvn spdx:createSPDX and your SPDX file will be generated in ./target/site/{groupId}_{artifactId}-{version}.spdx.

Additional Configuration

See createSPDX goal documentation for complete details.

All SPDX document and SPDX package properties are supported. Some properties are taken from existing POM properties while others are specified in the configuration section.

File level data supports default parameters which are applied to all files.

File specific parameters can be specified in the configuration parameter pathsWithSpecificSpdxInfo which includes a directoryOrFile configuration parameter in addition to the SPDX file level parameters.

A mapping of POM properties and configuration parameters can be found in the spreadsheet SPDX-fields-maven-mapping.xlsx.

The treatment of licenses for Maven is somewhat involved. Where possible, SPDX standard licenses ID's should be used. If no SPDX standard license is available, a nonStandardLicense must be declared as a parameter including a unique license ID and the verbatim license text.

Example

See the file src/it/advanced/pom.xml for an example project using the spdx-maven-plugin.

Contributing

See the CONTRIBUTING.MD documentation.

License

This project is licensed under the Apache 2.0 License

spdx-maven-plugin's People

Contributors

Stargazers

Watchers

spdx-maven-plugin's Issues

Support SPDX lite as input to the plugin

Proposal: Add configuration parameter to the plugin which points to an SPDX lite document.

The plugin would read in the SPDX lite data and merge it with any other plugin configuration parameters.

Propose the SPDX lite document take precedence on any conflicts.

This would allow the SPDX metadata to be separated out into a separate file for better maintainability.

It would also allow most of the SPDX document to be maintained in the source repo.

See the SPDX tools discussion on the SPDX document storage for more information.

Regression NullPointerException building a parent POM

When building a parent POM like Apache Commons parent [1][2], the plugin should not throw a NullPointerException but have a default reasonable behavior. Note that the POM works when used as a parent POM but it still needs to be installed locally in development.

This worked fine in 0.5.5 but the NPE appears in 0.6.0.

Reproducing the NPE:

git clone https://gitbox.apache.org/repos/asf/commons-parent
git checkout ca7547930901daae96b650bbeacf3782d87dd168
mvn -e -V clean install

This produces:

Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63)
Maven home: C:\Java\apache-maven-3.8.6
Java version: 1.8.0_342, vendor: Temurin, runtime: C:\Program Files\Eclipse Adoptium\jdk-8.0.342.7-hotspot\jre
Default locale: en_US, platform encoding: Cp1252
OS name: "windows 10", version: "10.0", arch: "amd64", family: "windows"
...
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  17.805 s
[INFO] Finished at: 2022-09-18T08:21:44-04:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.spdx:spdx-maven-plugin:0.6.0:createSPDX (build-spdx) on project commons-parent: Execution build-spdx of goal org.spdx:spdx-maven-plugin:0.6.0:createSPDX failed.: NullPointerException -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.spdx:spdx-maven-plugin:0.6.0:createSPDX (build-spdx) on project commons-parent: Execution build-spdx of goal org.spdx:spdx-maven-plugin:0.6.0:createSPDX failed.
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:375)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:351)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:171)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:163)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:294)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:960)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:293)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:196)
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:498)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: org.apache.maven.plugin.PluginExecutionException: Execution build-spdx of goal org.spdx:spdx-maven-plugin:0.6.0:createSPDX failed.
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:148)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:370)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:351)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:171)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:163)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:294)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:960)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:293)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:196)
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:498)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: java.lang.NullPointerException
    at java.util.Objects.requireNonNull (Objects.java:203)
    at java.util.Arrays$ArrayList.<init> (Arrays.java:3813)
    at java.util.Arrays.asList (Arrays.java:3800)
    at org.spdx.maven.SpdxFileCollector.convertToSpdxFile (SpdxFileCollector.java:443)
    at org.spdx.maven.SpdxFileCollector.collectFile (SpdxFileCollector.java:267)
    at org.spdx.maven.SpdxFileCollector.collectFiles (SpdxFileCollector.java:192)
    at org.spdx.maven.SpdxDocumentBuilder.collectSpdxFileInformation (SpdxDocumentBuilder.java:577)
    at org.spdx.maven.SpdxDocumentBuilder.buildDocumentFromFiles (SpdxDocumentBuilder.java:242)
    at org.spdx.maven.CreateSpdxMojo.execute (CreateSpdxMojo.java:507)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:370)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:351)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:171)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:163)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:294)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:960)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:293)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:196)
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:498)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
[ERROR]
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/PluginExecutionException

[1] https://commons.apache.org/proper/commons-parent/
[2] https://github.com/apache/commons-parent/

Running behind corporate proxy

Hi,
I'm attempting to run this plugin behind a corporate proxy and running into significant performance problems due to connectivity issues.

It does not appear that there is anyway to configure specific Proxy settings at the plugin level and attempts to add proxy config as JVM variables or MVN_OPTS have not had any impact.

An alternative solution would be to provide a means of suppressing the attempt to access license files directly and allow local paths to license files to be supplied via parameter?

This may be an issue with the core SPDX library and also has an impact on the CycloneDX plugin that shares core code.

Sample log output

[DEBUG] System architecture: 64 bit
[DEBUG] open(http://spdx.org/licenses/index.html)
[DEBUG] Not mapped: http://spdx.org/licenses/index.html
[DEBUG] [1] GET http://spdx.org/licenses/index.html
[DEBUG] Connection request: [route: {}->http://spdx.org][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
[DEBUG] Connection leased: [id: 0][route: {}->http://spdx.org][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
[DEBUG] Connecting to spdx.org/54.192.87.111:80
[DEBUG] Connect to spdx.org/54.192.87.111:80 timed out. Connection will be retried using another IP address
[DEBUG] Connecting to spdx.org/54.192.87.119:80
[DEBUG] Connect to spdx.org/54.192.87.119:80 timed out. Connection will be retried using another IP address
[DEBUG] Connecting to spdx.org/54.192.87.79:80
[DEBUG] Connect to spdx.org/54.192.87.79:80 timed out. Connection will be retried using another IP address
[DEBUG] Connecting to spdx.org/54.192.87.60:80
[DEBUG] http-outgoing-0: Shutdown connection
[DEBUG] Connection discarded
[DEBUG] http-outgoing-0: Close connection
[DEBUG] Connection released: [id: 0][route: {}->http://spdx.org][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
log4j:WARN No appenders could be found for logger (org.spdx.rdfparser.license.ListedLicenses).
log4j:WARN Please initialize the log4j system properly.
[DEBUG] open(resources/stdlicenses/index.html)
[DEBUG] Not mapped: resources/stdlicenses/index.html
[DEBUG] Found: resources/stdlicenses/index.html (ClassLoaderLocator)
[ERROR] Rewired RDFReaderFImpl - configuration changes have no effect on reading
[ERROR] Rewired RDFReaderFImpl - configuration changes have no effect on reading
[DEBUG] Connection manager is shutting down
[DEBUG] Connection manager shut down
[DEBUG] open(https://spdx.org/licenses/CC0-1.0)
[DEBUG] Not mapped: https://spdx.org/licenses/CC0-1.0
[DEBUG] [2] GET https://spdx.org/licenses/CC0-1.0
[DEBUG] Connection request: [route: {}->https://spdx.org][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
[DEBUG] Connection leased: [id: 1][route: {}->https://spdx.org][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
[DEBUG] Connecting to spdx.org/54.192.87.111:443
[DEBUG] Connect to spdx.org/54.192.87.111:443 timed out. Connection will be retried using another IP address
[DEBUG] Connecting to spdx.org/54.192.87.119:443
[DEBUG] Connect to spdx.org/54.192.87.119:443 timed out. Connection will be retried using another IP address
[DEBUG] Connecting to spdx.org/54.192.87.79:443
[DEBUG] Connect to spdx.org/54.192.87.79:443 timed out. Connection will be retried using another IP address
[DEBUG] Connecting to spdx.org/54.192.87.60:443
[DEBUG] http-outgoing-1: Shutdown connection
[DEBUG] Connection discarded
[DEBUG] http-outgoing-1: Close connection
[DEBUG] Connection released: [id: 1][route: {}->https://spdx.org][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]

Should this plugin be generating sbom data about a project's dependencies?

Hi there,

When I run createSPDX the resulting .spdx.json only includes metadata of the top level project and its files, but nothing about the dependencies. I was just wondering if this is WAI or whether I have it misconfigured somehow.

thanks!

Make SpdxProjectInformation public

First, thx a lot for this project! It really helped me to understand the SPDX specification wrt. to Maven.
Currently, I'm playing around with the code.
However, exists a reason for SpdxProjectInformation to be package-private?

Add unit test for Maven property inheritance

PR #72 does not include a unit test. This comment from issue #70 includes some test files which can be used for the unit tests.

Add a separate goal which does not invoke any other lifecycle

The createSPDX always invokes the execution of the lifecycle phase verify prior to executing itself. Is that really necessary? If the goal is configured in the pom, the verify phase runs twice.

You could add a separate goal `createSPDX-no-fork' which does not invoke any other lifecyle (similar to the (javadoc:javadoc-no-fork) goal).

Setting the outputFormat parameter to RDF/XML doesn't change the file extension

If setting the outputFormat parameter to RDF/XML, the file extension is still json. The extension of spdxFileName should probably be changed to rdf.xml but only if still configured as json.

Change deployments from Bintray to Maven Central and Github packages

Bintray is retiring their service on May 1. Prior to retirement, we need to start publishing an alternative package storage provider.

Suggest both Maven Central and Github Packages.

This can be automated using Github actions. See https://docs.github.com/en/actions/guides/publishing-java-packages-with-maven#publishing-packages-to-the-maven-central-repository-and-github-packages

The plugin no longer builds and runs with Java 8

The jar spdx-rdf-store seems to be compiled to Java 11?

This POM says Java 8 but running mvn clean install for this plugin says:

[INFO] -------------------------------------------------------------
[ERROR] COMPILATION ERROR :
[INFO] -------------------------------------------------------------
[ERROR] /C:/Users/ggregory/git/g/spdx-maven-plugin/src/main/java/org/spdx/maven/SpdxDependencyInformation.java:[69,29] cannot access org.spdx.spdxRdfStore.RdfStore
  bad class file: C:\Users\ggregory\.m2\repository\org\spdx\spdx-rdf-store\1.1.3\spdx-rdf-store-1.1.3.jar(org/spdx/spdxRdfStore/RdfStore.class)
    class file has wrong version 55.0, should be 52.0
    Please remove or make sure it appears in the correct subdirectory of the classpath.
[INFO] 1 error
[INFO] -------------------------------------------------------------
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  6.531 s
[INFO] Finished at: 2023-02-04T10:18:15-05:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.1:compile (default-compile) on project spdx-maven-plugin: Compilation failure
[ERROR] /C:/Users/ggregory/git/g/spdx-maven-plugin/src/main/java/org/spdx/maven/SpdxDependencyInformation.java:[69,29] cannot access org.spdx.spdxRdfStore.RdfStore
[ERROR]   bad class file: C:\Users\ggregory\.m2\repository\org\spdx\spdx-rdf-store\1.1.3\spdx-rdf-store-1.1.3.jar(org/spdx/spdxRdfStore/RdfStore.class)
[ERROR]     class file has wrong version 55.0, should be 52.0
[ERROR]     Please remove or make sure it appears in the correct subdirectory of the classpath.
[ERROR]
[ERROR] -> [Help 1]

Ah... the problems seems to be an eager update to Apache Jena, building spdx-rdf-store with Java 8 yields:

[INFO] -------------------------------------------------------------
[ERROR] COMPILATION ERROR :
[INFO] -------------------------------------------------------------
[ERROR] /C:/Users/ggregory/git/g/spdx-java-rdf-store/src/main/java/org/spdx/spdxRdfStore/RdfStore.java:[38,29] cannot access org.apache.jena.graph.Node
  bad class file: C:\Users\ggregory\.m2\repository\org\apache\jena\jena-core\4.7.0\jena-core-4.7.0.jar(org/apache/jena/graph/Node.class)
    class file has wrong version 55.0, should be 52.0
    Please remove or make sure it appears in the correct subdirectory of the classpath.

Please go back to supporting Java 8 or make it obvious that Java 11 is required.

Provide better navigation to External Document Refs for dependencies

If a dependency has an SPDX file, an External Document Reference is created using the Document URI from the dependency's SPDX file.

Depending on how the Document URI is constructed, it may or may not provide location information for the SPDX document.

Suggest creating an Annotation for the SPDX document which comments on the location of each External Document Ref.

Add file annotation, relationships

Add configuration parameters to implement annotations and relationship for default file and file path specific information - updates to class SpdxFileCollector

Incorrect dependency type and direction for test scope dependencies

When there is a test dependency (e.g. Junit), the resultant SPDX shows a relationship from the described package to the dependency with a type TEST_CASE_OF. The dependency should be from the dependency to the described package with a type TEST_DEPENDENCY_OF.

Project name in URL may not be encoded properly

See DependencyTrack/dependency-track#329 for a description of the issue.

From stack trace in the issue, it looks like the spaces are not properly encoded in the URI.

"Error resolving project artifact" unless comes from maven central

I have a tiny maven project that uses the maven repository https://jcenter.bintray.com/ which is needed to resolve the dependency org.jfrog.security:jfrog-crypto.

It compiles and runs without problems, which (I think) proves that the setup is correct.

However, the spdx-maven-plugin fails with the error message mentioned below.

I had expected the spdx-maven-plugin to download jfrog-crypto-4.9.0.pom from https://jcenter.bintray.com/ rather than maven central.

The maven project can be found in the attachment.

[INFO] org.spdx.maven.CreateSpdxMojo - Creating SPDX File C:\dvdv\spdx-maven-plugin-minimal-0\target\site\org.example_spdx-maven-plugin-minimal-1.0-SNAPSHOT.spdx.json
Downloading from central: https://repo.maven.apache.org/maven2/org/jfrog/security/jfrog-crypto/4.9.0/jfrog-crypto-4.9.0.pom
[ERROR] org.spdx.maven.CreateSpdxMojo - Maven Project Build Error creating SPDX package for dependency artifact ID jfrog-crypto:Error resolving project artifact: Could not find artifact org.jfrog.security:jfrog-crypto:pom:4.9.0 in central (https://repo.maven.apache.org/maven2) for project org.jfrog.security:jfrog-crypto:jar:4.9.0
[WARNING] org.spdx.maven.CreateSpdxMojo - Error creating SPDX package for dependency artifact ID jfrog-crypto.  A minimal SPDX package will be created.
Downloading from central: https://repo.maven.apache.org/maven2/org/jfrog/common/jfrog-utils/4.9.0/jfrog-utils-4.9.0.pom
[ERROR] org.spdx.maven.CreateSpdxMojo - Maven Project Build Error creating SPDX package for dependency artifact ID jfrog-utils:Error resolving project artifact: Could not find artifact org.jfrog.common:jfrog-utils:pom:4.9.0 in central (https://repo.maven.apache.org/maven2) for project org.jfrog.common:jfrog-utils:jar:4.9.0
[WARNING] org.spdx.maven.CreateSpdxMojo - Error creating SPDX package for dependency artifact ID jfrog-utils.  A minimal SPDX package will be created.

spdx-maven-plugin-minimal-0.zip

Suggest: Create SPDX file with artifactId as name

The SPDX file is created with the as the filename. This is intended to be a human readable name, my suggestion is to use the full:

<groupId>.<artifactId>-<version>.spdx

or at least the -.spdx

Support aggregation (multi-module)

Support multi-module POM files

Support for JSON formatted SPDX document?

Just used this plugin (thank you!) and the outputted SBOM was in XML format. Is there some option to get this in JSON format?

Maven properties are not inherited properly

For the main artifact, the plugin reads the package information from MavenProject. For the dependencies, the plugin reads the pom.xml directly. For this reason, the package information is incomplete because all inherited properties are missing.

Many artifacts do not define a version because it is inherited from the parent. This version information is therefore missing in the resulting SPDX file.

Release version 0.6.5

Scan source files for SPDX license ID's

This is a proposed enhancement based on a discussion thread in the license-maven-plugin issue mojohaus/license-maven-plugin#323

The source files could be scanned for SPDX license identifiers declared in the source. This could be a simple regex applied to the source files which are already being opened and processed for checksums. It would not take much additional compute time if the regex is efficient.

Any files with an SPDX license identifier would use that license ID for the declared license for that file.

use last release of spdx-tools

As a new version of spdx-tools has been released yesterday (version 2.1.13), spdx-maven-plugin should now reference this new release.

For more information, see issue #171.

Default licenseInformationInFile should default to the license specified in the POM file

Current default is NOASSERTION. Would not be difficult to default this to the same default as LicenseDeclared which is taken from the POM license information.

Change to using dependency tree library

dependency tree library implements much of the functionality in the dependency tracking software and may help handle circular dependencies as mentioned in this comment.

Adopt and enforce code style in project code base

While working on the code base, I found that the code style is inconsistent. This includes trailing white spaces, placement of braces and so on. This creates unnecessary noise in git diffs when different people work on the code. It makes sense to adopt a code style guide for the project. If one of the other SPDX projects use a style guide, it can be adopted for this project as well.

Otherwise, one of the many standard code styles exist for Java including Google Java Style Guide, OpenJDK Java Style Guidelines and so on may be used. Tools like checkstyle can be used to enforce the code style guidelines if necessary as well.

Include transitive dependencies in generated spdx bom

When generating an SPDX sbom for a Maven project, I suspect sbom users will want the complete inventory of all dependencies of that project to obtain complete coverage of the contents. It would be nice if this plugin would include them in the output by default, or else provide an option to enable it.

Thanks!

Error generated when dependencies have SPDX file

The following error occurs when generating the SPDX file for the spdx-java-rdf-store:

[ERROR] Invalid SPDX analysis exception reading SPDX document for dependency artifact ID java-spdx-library:Invalid id format for an external document reference.  Must be of the form ExternalSPDXRef:SPDXID.  Using POM file information for creating SPDX package data.

Unable to resolve parametric urls?

I have this dependency:

pom.xml:      <groupId>uk.org.lidalia</groupId>
pom.xml:      <artifactId>slf4j-test</artifactId>
pom.xml:      <version>1.2.0</version>

but adding spdx into the build chain errors with the following error:

INFO] --- spdx-maven-plugin:0.6.1:createSPDX (build-spdx) @ sdk ---
[INFO] Creating SPDX File /Users/jabrahms/src/github.com/open-feature/javasdk/target/site/dev.openfeature_sdk-0.2.2.spdx.json
[WARNING] Unable to map maven licenses to a declared license.  Using NOASSERTION
[WARNING] Could not determine the SPDX relationship type for dependency artifact ID lombok scope provided
[ERROR] SPDX analysis error processing dependencies: http://projects.lidalia.org.uk/${project.artifactId} is not a valid URI
org.spdx.library.InvalidSPDXAnalysisException: http://projects.lidalia.org.uk/${project.artifactId} is not a valid URI
    at org.spdx.library.model.SpdxPackage.setHomepage (SpdxPackage.java:325)
    at org.spdx.maven.SpdxDependencyInformation.createSpdxPackage (SpdxDependencyInformation.java:431)
    at org.spdx.maven.SpdxDependencyInformation.createSpdxPackage (SpdxDependencyInformation.java:206)
    at org.spdx.maven.SpdxDependencyInformation.addMavenDependency (SpdxDependencyInformation.java:105)
    at org.spdx.maven.CreateSpdxMojo.getSpdxDependencyInformation (CreateSpdxMojo.java:561)
    at org.spdx.maven.CreateSpdxMojo.execute (CreateSpdxMojo.java:484)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:370)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:351)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:171)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:163)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:294)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:960)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:293)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:196)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:566)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)

Add optional checksums for file

Add support file file checksums beyond SHA1 - impacts class SpdxFileCollector

Code throws an exception on valid SPDX document namespaces

This bug was produced using 0.6.3 version of the plugin. The execute() function in src/main/java/org/spdx/maven/CreateSpdxMojo.java throws an MalformedUrlException on valid namespaces. Per SPDX v2.3 specification, the namespace is represented as a URI. The code currently throws an exception on any scheme that's not a URL protocol such as http:// or https://. For example, a valid document namespace, spdx://sbom.foobar.dev/2.3/test-package-1.1.0, which is a valid URI throws an exception. The code should check if the namespace is a valid URI and not limit itself it to only URLs.

Namespace Input

spdx://sbom.foobar.dev/2.3/test-package-1.1.0

Exception

Caused by: org.apache.maven.plugin.MojoExecutionException: Invalid SPDX document namespace - not a valid URL: spdx://sbom.foobar.dev/2.3/test-package-1.1.0 at org.spdx.maven.CreateSpdxMojo.execute (CreateSpdxMojo.java:467) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137) at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:370) at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:351) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215) at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:171 at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:163) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81) at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:298) at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192) at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105) at org.apache.maven.cli.MavenCli.execute (MavenCli.java:960) at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:293) at org.apache.maven.cli.MavenCli.main (MavenCli.java:196) at jdk.internal.reflect.DirectMethodHandleAccessor.invoke (DirectMethodHandleAccessor.java:104) at java.lang.reflect.Method.invoke (Method.java:578) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282) at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406) at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)Caused by: java.net.MalformedURLException: unknown protocol: spdx at java.net.URL.<init> (URL.java:682) at java.net.URL.<init> (URL.java:570) at java.net.URL.<init> (URL.java:517)

.spdx extension impractical

SPDX documents get deployed to Maven Central with the .spdx extension. This is impractical, because:

The files are served with Content-Type: application/octet-stream by Maven Central and browsers download them instead of rendering them
When opened in common editors, they are not handled as XML (syntax highlighting, folding, ...)

I wonder if the .spdx extension is prescribed by the SPDX spec? Could it eventually get changed to .spdx.xml ?