Skip to content

Generated boms are always of type "library" allthough <projectType>application</projectType> is configured #632

Open
Open
Generated boms are always of type "library" allthough <projectType>application</projectType> is configured#632
Labels
help wantedwaiting for feedback
@Ulathar

Description

@Ulathar
Ulathar
opened on Nov 20, 2025

I noticed that some of my tracked projects are all of a sudden listed as "Library" in my Dependency-Track Instance instead of "Application".
I double checked by editing these projects back to "Application" and then rerun CycloneDX + the Dependency Track Plugin to push a new bom to the Tracker.
Results are that after that action the tracked projects are of type "library" again.
So I digged into the generated boms and noticed that the types of all the components in there are on its default "library" ingoring / overwriting my configuration which is set to "application".

I can't tell for sure since when this behavior occurs, might be since the Update to v2.9.1

The relevant configuration part of my CycloneDX Plugin configuration in my pom.xml:

<configuration>
	<projectType>application</projectType>
	<schemaVersion>1.6</schemaVersion>
  	<includeBomSerialNumber>true</includeBomSerialNumber>
  	<includeCompileScope>true</includeCompileScope>
   	<includeProvidedScope>true</includeProvidedScope>
  	<includeRuntimeScope>true</includeRuntimeScope>
  	<includeSystemScope>true</includeSystemScope>
 	<includeTestScope>false</includeTestScope>
 	<includeLicenseText>false</includeLicenseText>
 	<outputReactorProjects>true</outputReactorProjects>
	<outputFormat>all</outputFormat> 
	<outputName>bom</outputName> 
	<outputDirectory>${project.build.directory}</outputDirectory> 
	<verbose>true</verbose>
</configuration>

The plugin configuration takes place in the "pluginManagement" Section of my pom.xml.

The generated bom contains this description for the actual project / module / component:

"component" : {
      "type" : "library",
      [...]
},
"properties" : [
      {
        "name" : "maven.goal",
        "value" : "makeAggregateBom"
      },
      {
        "name" : "maven.scopes",
        "value" : "compile,provided,runtime,system"
      }
    ]
  }

So it looks like the actual projectType in the configuration is ignored?

Expected behavior:

  • The Project Type stays at the configured type "Application" in the Dependency-Tracker

Metadata

Metadata

Assignees

No one assigned

    Labels

    help wantedwaiting for feedback

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions