Internet Explorer is no longer supported. Many things will still work, but your experience will be degraded and some things won't function. Please use a modern browser such as Edge, Chrome, or Firefox.

ProGet SCA Integration with Java

view on GitHub

Projects and Releases in ProGet let you track the open-source and third-party components (packages) that your organization uses, and help you identify issues like vulnerabilities, license violations, and missing packages.

While other languages, like C#, NodeJs, and Python, can use Inedo's pgscan to scan for dependencies and import them to ProGet, Maven works best using the CycloneDX Maven Plugin directly.

Configuring Your Maven Project

Use the CycloneDX Maven Plugin to generate a Software Bill Of Materials (SBOM) and import that file into ProGet's SCA Projects using the Exec Maven Plugin.

Configuring CycloneDX

Add the CycloneDX Maven Plugin plugin to the plugins node in your project pom.xml.

<plugin>
	<groupId>org.cyclonedx</groupId>
	<artifactId>cyclonedx-maven-plugin</artifactId>
	<version>2.7.5</version>
	<configuration>
		<projectType>library</projectType>
		<schemaVersion>1.4</schemaVersion>
		<includeBomSerialNumber>true</includeBomSerialNumber>
		<includeCompileScope>true</includeCompileScope>
		<includeProvidedScope>true</includeProvidedScope>
		<includeRuntimeScope>true</includeRuntimeScope>
		<includeSystemScope>true</includeSystemScope>
		<includeTestScope>false</includeTestScope>
		<includeLicenseText>false</includeLicenseText>
		<outputReactorProjects>true</outputReactorProjects>
		<outputFormat>xml</outputFormat>
		<outputName>bom</outputName>
		<outputDirectory>${project.build.directory}</outputDirectory>
		<verbose>false</verbose>
	</configuration>
	<executions>
		<execution>
			<phase>package</phase>
			<goals>
				<goal>makeAggregateBom</goal>
			</goals>
		</execution>
	</executions>
</plugin>

Once added, this plugin will generate a Software Bill of Materials (SBOM) XML file during the package phase of the Maven lifecycle.

This will also configure the deploy phase of the Maven lifecycle to append the bom.xml as an artifact on the package with the name <package_name>-<version>-cyclonedx.xml (ex: hello-world-maven-2.0.1-cyclonedx.xml).

To prevent this file from being uploaded, add <skipAttach>false</skipAttach> to the configuration node of the CycloneDX Maven plugin.

Configuring Maven to Import your SBOM

Once you have configured Maven to generate your SBOM file, you will need to configure the Exec Maven Plugin to execute curl to import it into your project in ProGet.

To do this, we recommend first creating an API key that has the appropriate permissions to upload SBOM documents. Once you have that, you can edit the plugins node of your pom.xml file as follows.

<plugin>
	<groupId>org.codehaus.mojo</groupId>
	<artifactId>exec-maven-plugin</artifactId>
	<version>3.1.0</version>
	<executions>
		<execution>
		<id>publish-project</id>
		<phase>deploy</phase>
		<goals>
			<goal>exec</goal>
		</goals>
		<configuration>
			<executable>curl</executable>
			<arguments>
				<argument>-k</argument>
				<argument>-i</argument>
				<argument>-X</argument> 
				<argument>POST</argument> 
				<argument>-H</argument>
				<argument>"Content-Type: text/xml"</argument>
				<argument>-H</argument>
				<argument>"X-Apikey: «api key»"</argument>
				<argument>--fail-with-body</argument>
                <argument>-s</argument>
				<argument>-d</argument>
				<argument>@bom.xml</argument>
				<argument>«proget host URL»/api/sca/issues</argument>
			</arguments>
            <useMavenLogger>true</useMavenLogger>
			<workingDirectory>${project.build.directory}</workingDirectory>
		</configuration>
		</execution>
	</executions>
</plugin>

Once added, this plugin will call curl to import the file sbom.xml in the build directory into ProGet during the deploy phase of the Maven lifecycle.

Best Practice: Use Properties for the API and API Key

Instead of specifying the repository URL directly, we recommend using a property. This allows you to not only override the settings when running the mvn deploy command, but to specify the property in the settings.xml file instead of in each project.

To do this, add (or edit) the properties node under the ProGet profile in your settings.xml file:

<profiles>
    <profile>
        <id>ProGet</id>
        <properties>
            <proget-sca-api>http://my.proget.server/api/sca/import</proget-sca-api>
	        <proget-sca-api-key>«api key»</proget-sca-api-key>
        </properties>
        ... snip ...

Then, you can use a property in your POM file like this:

<plugin>
	<groupId>org.codehaus.mojo</groupId>
	<artifactId>exec-maven-plugin</artifactId>
	<version>3.1.0</version>
	<executions>
		<execution>
		<id>publish-project</id>
		<phase>deploy</phase>
		<goals>
			<goal>exec</goal>
		</goals>
		<configuration>
			<executable>curl</executable>
			<arguments>
				<argument>-k</argument>
				<argument>-i</argument>
				<argument>-X</argument> 
				<argument>POST</argument> 
				<argument>-H</argument>
				<argument>"Content-Type: text/xml"</argument>
				<argument>-H</argument>
				<argument>"X-Apikey: ${proget-sca-api-key}"</argument>
				<argument>--fail-with-body</argument>
                <argument>-s</argument>
				<argument>-d</argument>
				<argument>@bom.xml</argument>
				<argument>${proget-sca-api}</argument>
			</arguments>
            <useMavenLogger>true</useMavenLogger>
			<workingDirectory>${project.build.directory}</workingDirectory>
		</configuration>
		</execution>
	</executions>
</plugin>

Publish Your Dependencies

Once the plugins have been configured, your dependencies will then be published to a ProGet SCA project when mvn deploy is run.