I made the changes in 55-SNAPSHOT to the Maven plugin configuration from 'makeAggregateBom' to 'makeBom'.
Gary ---------- Forwarded message --------- From: Gary Gregory <garydgreg...@gmail.com> Date: Wed, Sep 21, 2022, 14:45 Subject: Re: [VOTE][LAZY] Release Apache Commons Parent 54 based on RC1 To: Commons Developers List <dev@commons.apache.org> Thank you Alex, My plan is to proceed with 54 as is and continue toward getting single and multiple module projects to work nicely from commons-parent for 55. Gary On Tue, Sep 20, 2022 at 5:00 PM Alex Herbert <alex.d.herb...@gmail.com> wrote: > > Hi, > > I have put together a simple project with a parent and two modules, each > with their own dependencies. This has the same result in that the installed > bom for each module includes the dependencies of the entire project reactor. > > When I change the goal from 'makeAggregateBom' to 'makeBom' then I see the > behaviour I expect. Each module has a bom that only includes the direct > dependencies of the project module. This holds for the installed bom that > is attached during install. > > I think the goal we require when building separate installed jar files in a > multi module project is 'makeBom' and not 'makeAggregateBom'. The lack of > documentation on the Cyclone DX website does not help distinguish the two. > The fact that the default execution is 'makeAggregateBom' also does not > help. > > If I directly add the Cyclone DX plugin config from CP 54 to Commons > Statistics (but not via CP 54) but change the default execution from > makeAggregateBom to makeBom, then the plugin works as I would expect. > > I have not tested this with a single module commons project. > > Alex > > > On Tue, 20 Sept 2022 at 14:22, Gilles Sadowski <gillese...@gmail.com> wrote: > > > Hello. > > > > > [...] The installed bom has dependency > > > information collated from other modules which are not actually > > > dependencies. So the aggregation is bringing in dependencies incorrectly. > > > This makes the BOM incorrect. > > > [...] > > > > If that's the case, I suggest that this feature is disabled by default > > in CP. RM should be aware that the release could contain wrong > > information (which IMHO is worse than no information). > > > > Gilles > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > >