SBOM generation should fail on unknown pom.xml dependency

[metametadata]

pom.xml with the non-existent abc/def dependency:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>foo</groupId>
  <artifactId>bar</artifactId>
  <packaging>jar</packaging>
  <version>1.0.0</version>
  <name>foo</name>
  <dependencies>
    <dependency>
      <groupId>abc</groupId>
      <artifactId>def</artifactId>
      <version>1.2.3</version>
    </dependency>
  </dependencies>
</project>

Command:

CDXGEN_DEBUG_MODE=debug PREFER_MAVEN_DEPS_TREE=true cdxgen --fail-on-error --no-include-formulation --no-recurse --output sbom.json --type java

Expected

The command fails with non-0 exit code, sbom.json is not generated.

Actual

Exit code 0, sbom.json is generated.

[prabhu]

Is there a way to make maven cli error out? I only a see a warning and the command succeeds.

mvn dependency:tree
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------< foo:bar >-------------------------------
[INFO] Building foo 1.0.0
[INFO]   from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[WARNING] The POM for abc:def:jar:1.2.3 is missing, no dependency information available
[INFO]
[INFO] --- dependency:3.7.0:tree (default-cli) @ bar ---
[INFO] foo:bar:jar:1.0.0
[INFO] \- abc:def:jar:1.2.3:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  0.894 s
[INFO] Finished at: 2024-11-17T18:59:01Z
[INFO] ------------------------------------------------------------------------

[metametadata]

I rarely use Maven directly as I code in Clojure and use Leiningen automation tool instead of writing pom.xml by hand. But quick googling leads to https://maven.apache.org/plugins/maven-dependency-plugin/examples/failing-the-build-on-dependency-analysis-warnings.html.

[prabhu]

Thank you!

The below command works.

mvn dependency:analyze-only -DfailOnWarning=true

The below, however, did not.

mvn dependency:tree -DfailOnWarning=true
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------< foo:bar >-------------------------------
[INFO] Building foo 1.0.0
[INFO]   from pom.xml
[INFO] --------------------------------[ jar ]---------------------------------
[WARNING] The POM for abc:def:jar:1.2.3 is missing, no dependency information available
[INFO]
[INFO] --- dependency:3.7.0:tree (default-cli) @ bar ---
[INFO] foo:bar:jar:1.0.0
[INFO] \- abc:def:jar:1.2.3:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  0.966 s
[INFO] Finished at: 2024-11-17T20:44:08Z
[INFO] ------------------------------------------------------------------------

May be if options.failOnError is set, then cdxgen could invoke analyze-only followed by tree?