@cyclonedx/cdxgen 8.2.3 → 8.2.4

package/README.md

@@ -270,6 +270,8 @@ cdxgen can retain the dependency tree under the `dependencies` attribute for a s
 | SBOM_SIGN_ALGORITHM       | Signature algorithm. Some valid values are RS256, RS384, RS512, PS256, PS384, PS512, ES256 etc                     |
 | SBOM_SIGN_PRIVATE_KEY     | Private key to use for signing                                                                                     |
 | SBOM_SIGN_PUBLIC_KEY      | Optional. Public key to include in the SBoM signature                                                              |
+| CDX_MAVEN_PLUGIN          | CycloneDX Maven plugin to use. Default "org.cyclonedx:cyclonedx-maven-plugin:2.7.6"                                |
+| CDX_MAVEN_GOAL            | CycloneDX Maven plugin goal to use. Default makeAggregateBom. Other options: makeBom, makePackageBom               |
 
 ## Plugins
 

package/index.js

@@ -986,10 +986,11 @@ const createJavaBom = async (path, options) => {
       (options.multiProject ? "**/" : "") + "pom.xml"
     );
     if (pomFiles && pomFiles.length) {
-      let mvnArgs = [
-        "org.cyclonedx:cyclonedx-maven-plugin:2.7.2:makeAggregateBom",
-        "-DoutputName=bom"
-      ];
+      const cdxMavenPlugin =
+        process.env.CDX_MAVEN_PLUGIN ||
+        "org.cyclonedx:cyclonedx-maven-plugin:2.7.6";
+      const cdxMavenGoal = process.env.CDX_MAVEN_GOAL || "makeAggregateBom";
+      let mvnArgs = [`${cdxMavenPlugin}:${cdxMavenGoal}`, "-DoutputName=bom"];
       // By using quiet mode we can reduce the maxBuffer used and avoid crashes
       if (!DEBUG_MODE) {
         mvnArgs.push("-q");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "8.2.3",
+  "version": "8.2.4",
   "description": "Creates CycloneDX Software Bill-of-Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",