Package org.spdx.maven

Class CreateSpdxMojo

java.lang.Object
org.apache.maven.plugin.AbstractMojo
org.spdx.maven.CreateSpdxMojo
All Implemented Interfaces:
org.apache.maven.plugin.ContextEnabled, org.apache.maven.plugin.Mojo
Direct Known Subclasses:
AggregateSpdxMojo
@Mojo(name="createSPDX", defaultPhase=VERIFY, requiresOnline=true, threadSafe=true) public class CreateSpdxMojo extends org.apache.maven.plugin.AbstractMojo
NOTE: Currently this is a prototype plugin for supporting SPDX in a Maven build.

Goal which creates a new SPDX file for the package being built. Will replace any existing SPDX file.

All SPDX document and SPDX package properties are supported as parameters to the plugin.

File level data supports default parameters which are applied to all files. Future versions of this plugin will support file specific parameters.

The treatment of licenses for Maven is somewhat involved. Where possible, SPDX standard licenses ID's should be used. If no SPDX standard license is available, a nonStandardLicense must be declared as a parameter including a unique license ID and the verbatim license text.

The following SPDX fields are populated from the POM project information:

  • package name: project name or artifactId if the project name is not provided
  • package description: project description
  • package shortDescription: project description
  • package downloadUrl: distributionManager url
  • package homePage: project url
  • package supplier: project organization
  • package versionInfo: project version
  • files for analysis: build source files + project resource files

Additional SPDX fields are supplied as configuration parameters to this plugin.

  • Field Details

    • INCLUDE_ALL

      public static final String INCLUDE_ALL
      See Also:

    • CREATOR_TOOL_MAVEN_PLUGIN

      public static final String CREATOR_TOOL_MAVEN_PLUGIN
      See Also:

    • SPDX_RDF_ARTIFACT_TYPE

      public static final String SPDX_RDF_ARTIFACT_TYPE
      See Also:

    • SPDX_JSON_ARTIFACT_TYPE

      public static final String SPDX_JSON_ARTIFACT_TYPE
      See Also:

    • JSON_OUTPUT_FORMAT

      public static final String JSON_OUTPUT_FORMAT
      See Also:

    • RDF_OUTPUT_FORMAT

      public static final String RDF_OUTPUT_FORMAT
      See Also:

    • mavenProjectBuilder

      @Component protected org.apache.maven.project.ProjectBuilder mavenProjectBuilder

    • session

      @Component protected org.apache.maven.execution.MavenSession session

    • dependencyGraphBuilder

      @Component(hint="default") protected org.apache.maven.shared.dependency.graph.DependencyGraphBuilder dependencyGraphBuilder

    • createExternalRefs

      @Parameter(defaultValue="true") protected boolean createExternalRefs
      If true, external document references will be created for any dependencies which contain SPDX documents. If false, the dependent package information will be copied from the SPDX document into the generated SPDX document.
      Since:
      0.6.3

    • includeTransitiveDependencies

      @Parameter(defaultValue="true") protected boolean includeTransitiveDependencies
      If true, all transitive dependencies will be included in the SPDX document. If false, only direct dependencies will be included.
      Since:
      0.6.3

    • useArtifactID

      @Parameter(property="spdx.useArtifactID") protected boolean useArtifactID
      If true, use ${project.groupId}:${artifactId} as the SPDX package name. Otherwise, ${project.name} will be used

    • generatePurls

      @Parameter(property="spdx.generatePurls") protected boolean generatePurls
      If true, adds an external reference to every package with category "PACKAGE-MANAGER", type "purl" and locator "pkg:maven/${project.groupId}/${project.artifactId}@${project.version}".

  • Constructor Details

    • CreateSpdxMojo

      public CreateSpdxMojo()

  • Method Details

    • execute

      public void execute() throws org.apache.maven.plugin.MojoExecutionException
      Throws:
      org.apache.maven.plugin.MojoExecutionException

    • buildSpdxDependencyInformation

      protected void buildSpdxDependencyInformation(AbstractDocumentBuilder builder, OutputFormat outputFormatEnum) throws LicenseMapperException, org.spdx.core.InvalidSPDXAnalysisException, org.apache.maven.shared.dependency.graph.DependencyGraphBuilderException
      Collect dependency information from Maven dependencies and adds it to the builder SPDX document
      Parameters:
      builder - SPDX document builder
      Throws:
      LicenseMapperException - on errors related to mapping Maven licenses to SPDX licenses
      org.spdx.core.InvalidSPDXAnalysisException - on SPDX parsing errors
      org.apache.maven.shared.dependency.graph.DependencyGraphBuilderException