CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/maven-com-vaadin--vaadin-maven-plugin

Maven plugin for Vaadin Flow applications that handles frontend resource management, webpack bundling, and development workflow automation

Overview
Eval results
Files

sbom-generation.mddocs/

Software Bill of Materials (SBOM) Generation

The SBOM generation goals create standardized CycloneDX Software Bill of Materials files for both backend (Maven) and frontend (npm) dependencies, supporting security compliance and vulnerability analysis.

Goals Overview

<goal>generate-maven-sbom</goal>  <!-- Backend dependencies SBOM -->
<goal>generate-npm-sbom</goal>    <!-- Frontend dependencies SBOM -->
<!-- Default phase: process-resources -->
<!-- Dependency resolution: compile -->

Both goals generate CycloneDX-compliant SBOM files for comprehensive dependency tracking.

Maven SBOM Generation

Purpose

The generate-maven-sbom goal creates SBOM files focused on backend Java dependencies using the CycloneDX Maven plugin.

Configuration Parameters

<configuration>
  <!-- Component metadata -->
  <projectType>application</projectType>
  <schemaVersion>1.4</schemaVersion>
  <includeBomSerialNumber>true</includeBomSerialNumber>

  <!-- Scope inclusion -->
  <includeCompileScope>true</includeCompileScope>
  <includeProvidedScope>true</includeProvidedScope>
  <includeRuntimeScope>true</includeRuntimeScope>
  <includeTestScope>false</includeTestScope>
  <includeSystemScope>true</includeSystemScope>

  <!-- Output configuration -->
  <outputFormat>json</outputFormat>
  <outputName>bom</outputName>
  <outputDirectory>${project.build.outputDirectory}/resources</outputDirectory>

  <!-- Additional options -->
  <includeLicenseText>false</includeLicenseText>
  <outputReactorProjects>true</outputReactorProjects>
  <verbose>false</verbose>
</configuration>

Parameter Reference

<!-- Component type for SBOM metadata -->
<projectType>application|library|framework|device|firmware|container</projectType>

<!-- CycloneDX schema version -->
<schemaVersion>1.3|1.4|1.5</schemaVersion>

<!-- Include unique BOM serial number -->
<includeBomSerialNumber>true|false</includeBomSerialNumber>

<!-- Dependency scope inclusion -->
<includeCompileScope>true|false</includeCompileScope>
<includeProvidedScope>true|false</includeProvidedScope>
<includeRuntimeScope>true|false</includeRuntimeScope>
<includeTestScope>true|false</includeTestScope>
<includeSystemScope>true|false</includeSystemScope>

<!-- Output format options -->
<outputFormat>json|xml|all</outputFormat>
<outputName>string</outputName>
<outputDirectory>path</outputDirectory>

<!-- Advanced options -->
<includeLicenseText>true|false</includeLicenseText>
<outputReactorProjects>true|false</outputReactorProjects>
<excludeTypes>type1,type2,...</excludeTypes>
<excludeArtifactId>artifact1,artifact2,...</excludeArtifactId>
<excludeGroupId>group1,group2,...</excludeGroupId>
<excludeTestProject>true|false</excludeTestProject>
<verbose>true|false</verbose>

NPM SBOM Generation

Purpose

The generate-npm-sbom goal creates SBOM files focused on frontend npm dependencies using the CycloneDX npm tool.

Configuration Parameters

<configuration>
  <!-- NPM analysis options -->
  <ignoreNpmErrors>false</ignoreNpmErrors>
  <packageLockOnly>false</packageLockOnly>
  <omit>dev</omit>

  <!-- Output formatting -->
  <flattenComponents>false</flattenComponents>
  <shortPURLs>false</shortPURLs>
  <outputReproducible>false</outputReproducible>
  <validate>true</validate>

  <!-- Component metadata -->
  <mcType>application</mcType>
  <productionMode>false</productionMode>

  <!-- File paths -->
  <outputFormat>json</outputFormat>
  <outputFilePath>${project.build.outputDirectory}/resources/bom-npm.json</outputFilePath>
  <packageManifest>./package.json</packageManifest>
  <specVersion>1.4</specVersion>
</configuration>

Parameter Reference

<!-- NPM behavior options -->
<ignoreNpmErrors>true|false</ignoreNpmErrors>              <!-- Ignore NPM installation errors -->
<packageLockOnly>true|false</packageLockOnly>              <!-- Use only lock file, not node_modules -->
<omit>dev|optional|peer</omit>                             <!-- Dependency types to omit -->

<!-- Output formatting -->
<flattenComponents>true|false</flattenComponents>          <!-- Flatten component hierarchy -->
<shortPURLs>true|false</shortPURLs>                        <!-- Omit PURL qualifiers -->
<outputReproducible>true|false</outputReproducible>        <!-- Make output reproducible -->
<validate>true|false</validate>                            <!-- Validate generated SBOM -->

<!-- Component type -->
<mcType>application|library|firmware</mcType>              <!-- Main component type -->
<productionMode>true|false</productionMode>                <!-- Mark as production -->

<!-- File configuration -->
<outputFormat>json|xml</outputFormat>                      <!-- Output format -->
<outputFilePath>path/to/output/file</outputFilePath>       <!-- Output file path -->
<packageManifest>path/to/package.json</packageManifest>    <!-- package.json location -->
<specVersion>1.3|1.4|1.5</specVersion>                    <!-- CycloneDX spec version -->

Usage Examples

Basic SBOM Generation

<plugin>
  <groupId>com.vaadin</groupId>
  <artifactId>vaadin-maven-plugin</artifactId>
  <version>24.9.0</version>
  <executions>
    <execution>
      <goals>
        <goal>generate-maven-sbom</goal>
        <goal>generate-npm-sbom</goal>
      </goals>
    </execution>
  </executions>
</plugin>

Custom Maven SBOM Configuration

<plugin>
  <groupId>com.vaadin</groupId>
  <artifactId>vaadin-maven-plugin</artifactId>
  <version>24.9.0</version>
  <configuration>
    <!-- Maven SBOM settings -->
    <projectType>library</projectType>
    <schemaVersion>1.5</schemaVersion>
    <outputFormat>xml</outputFormat>
    <outputName>security-bom</outputName>
    <includeTestScope>true</includeTestScope>
    <includeLicenseText>true</includeLicenseText>
    <verbose>true</verbose>
  </configuration>
  <executions>
    <execution>
      <goals>
        <goal>generate-maven-sbom</goal>
      </goals>
    </execution>
  </executions>
</plugin>

Custom NPM SBOM Configuration

<plugin>
  <groupId>com.vaadin</groupId>
  <artifactId>vaadin-maven-plugin</artifactId>
  <version>24.9.0</version>
  <configuration>
    <!-- NPM SBOM settings -->
    <productionMode>true</productionMode>
    <omit>dev,optional</omit>
    <outputReproducible>true</outputReproducible>
    <flattenComponents>false</flattenComponents>
    <outputFilePath>target/security/frontend-bom.json</outputFilePath>
    <mcType>library</mcType>
  </configuration>
  <executions>
    <execution>
      <goals>
        <goal>generate-npm-sbom</goal>
      </goals>
    </execution>
  </executions>
</plugin>

Security-Focused Configuration

<configuration>
  <!-- Maven SBOM for security analysis -->
  <includeCompileScope>true</includeCompileScope>
  <includeRuntimeScope>true</includeRuntimeScope>
  <includeTestScope>false</includeTestScope>
  <includeLicenseText>true</includeLicenseText>
  <outputFormat>all</outputFormat>  <!-- Generate both JSON and XML -->

  <!-- NPM SBOM for security analysis -->
  <omit>dev</omit>                 <!-- Exclude dev dependencies from security analysis -->
  <validate>true</validate>        <!-- Ensure SBOM validity -->
  <outputReproducible>true</outputReproducible>  <!-- Consistent builds -->
</configuration>

Command Line Execution

# Generate both SBOMs
mvn flow:generate-maven-sbom vaadin:generate-npm-sbom

# Generate Maven SBOM only
mvn flow:generate-maven-sbom

# Generate NPM SBOM only
mvn flow:generate-npm-sbom

# Custom output directory
mvn flow:generate-maven-sbom -Dvaadin.outputDirectory=target/security

# Include test dependencies
mvn flow:generate-maven-sbom -Dvaadin.includeTestScope=true

# Verbose NPM SBOM generation
mvn flow:generate-npm-sbom -Dvaadin.validate=true -X

Generated SBOM Files

Maven SBOM Output

Default location: target/classes/resources/bom.json

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:12345678-1234-1234-1234-123456789012",
  "version": 1,
  "metadata": {
    "timestamp": "2024-01-01T00:00:00Z",
    "component": {
      "type": "application",
      "name": "my-vaadin-app",
      "version": "1.0.0"
    }
  },
  "components": [
    {
      "type": "library",
      "group": "com.vaadin",
      "name": "vaadin-core",
      "version": "24.9.0",
      "purl": "pkg:maven/com.vaadin/vaadin-core@24.9.0",
      "licenses": [...]
    }
  ]
}

NPM SBOM Output

Default location: target/classes/resources/bom-npm.json

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:87654321-4321-4321-4321-210987654321",
  "version": 1,
  "metadata": {
    "component": {
      "type": "application",
      "name": "my-frontend",
      "version": "1.0.0"
    }
  },
  "components": [
    {
      "type": "library",
      "name": "lit",
      "version": "2.8.0",
      "purl": "pkg:npm/lit@2.8.0",
      "licenses": [...]
    }
  ]
}

Integration with Security Tools

Vulnerability Scanning

SBOM files can be used with security tools:

# Using OWASP Dependency Check
dependency-check --project myapp --scan target/classes/resources/bom.json

# Using Snyk
snyk test --file=target/classes/resources/bom.json

# Using Grype
grype sbom:target/classes/resources/bom.json

CI/CD Integration

#!/bin/bash
# CI/CD security pipeline
mvn flow:generate-maven-sbom vaadin:generate-npm-sbom
vulnerability-scanner --sbom target/classes/resources/bom.json
vulnerability-scanner --sbom target/classes/resources/bom-npm.json

Troubleshooting

NPM SBOM Generation Issues

Error: node_modules not found
Solution: Run mvn flow:prepare-frontend first or ensure npm install completed
Error: CycloneDX tool not available
Solution: Ensure npx and @cyclonedx/cyclonedx-npm are accessible

Maven SBOM Generation Issues

Error: CycloneDX plugin execution failed
Solution: Check Maven repository access, verify plugin version compatibility

Output Directory Issues

Error: Cannot write to output directory
Solution: Ensure directory exists and has write permissions, create directory structure

Advanced Configuration

Multi-Module Projects

For Maven multi-module projects:

<!-- In parent pom.xml -->
<plugin>
  <groupId>com.vaadin</groupId>
  <artifactId>vaadin-maven-plugin</artifactId>
  <version>24.9.0</version>
  <configuration>
    <outputReactorProjects>true</outputReactorProjects>  <!-- Include all modules -->
    <excludeTestProject>true</excludeTestProject>        <!-- Exclude test modules -->
  </configuration>
</plugin>

Custom Exclusions

<configuration>
  <!-- Exclude internal/test artifacts -->
  <excludeGroupId>com.example.internal,org.test</excludeGroupId>
  <excludeArtifactId>mock-*,test-*</excludeArtifactId>
  <excludeTypes>test-jar,javadoc</excludeTypes>
</configuration>

Corporate Environment Settings

<configuration>
  <!-- NPM SBOM in corporate environment -->
  <ignoreNpmErrors>true</ignoreNpmErrors>  <!-- Handle corporate proxy issues -->
  <packageLockOnly>true</packageLockOnly>  <!-- Use only lock file if node_modules problematic -->
  <validate>false</validate>               <!-- Skip validation if network restricted -->
</configuration>

Install with Tessl CLI

npx tessl i tessl/maven-com-vaadin--vaadin-maven-plugin

docs

code-migration.md

frontend-cleanup.md

frontend-development.md

index.md

production-build.md

sbom-generation.md

tile.json