CycloneDX · apupier · May 7, 2025
diff --git a/src/it/makeAggregateBom/central-publishing-maven-plugin/pom.xml b/src/it/makeAggregateBom/central-publishing-maven-plugin/pom.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  This file is part of CycloneDX Maven Plugin.
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+
+  SPDX-License-Identifier: Apache-2.0
+  Copyright (c) OWASP Foundation. All Rights Reserved.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.cyclonedx.its</groupId>
+        <artifactId>makeAggregateBom</artifactId>
+        <version>1.0-SNAPSHOT</version>
+    </parent>
+    <artifactId>central-publishing-maven-plugin</artifactId>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.cyclonedx</groupId>
+            <artifactId>cyclonedx-core-java</artifactId>
+            <version>9.0.5</version>
+        </dependency>
+    </dependencies>
+
+    <build>
+    <plugins>
+        <plugin>
+            <groupId>org.sonatype.central</groupId>
+            <artifactId>central-publishing-maven-plugin</artifactId>
+            <version>0.7.0</version>
+            <extensions>true</extensions>
+            <configuration>
+                <publishingServerId>central</publishingServerId>
+                <autoPublish>true</autoPublish>
+            </configuration>
+        </plugin>
+</plugins>
+    </build>
+</project>
diff --git a/src/it/makeAggregateBom/pom.xml b/src/it/makeAggregateBom/pom.xml
@@ -78,6 +78,7 @@
 
     <modules>
         <module>api</module>
+        <module>central-publishing-maven-plugin</module>
         <module>impls</module>
         <module>skipped</module>
         <module>util</module>

diff --git a/src/it/makeAggregateBom/skipped/central-publishing-maven-plugin-config/pom.xml b/src/it/makeAggregateBom/skipped/central-publishing-maven-plugin-config/pom.xml
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  This file is part of CycloneDX Maven Plugin.
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+
+  SPDX-License-Identifier: Apache-2.0
+  Copyright (c) OWASP Foundation. All Rights Reserved.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.cyclonedx.its</groupId>
+        <artifactId>skipped</artifactId>
+        <version>1.0-SNAPSHOT</version>
+    </parent>
+    <artifactId>central-publishing-maven-plugin-config</artifactId>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.cyclonedx</groupId>
+            <artifactId>cyclonedx-core-java</artifactId>
+            <version>9.0.5</version>
+        </dependency>
+    </dependencies>
+
+    <build>
+    <plugins>
+        <plugin>
+            <groupId>org.sonatype.central</groupId>
+            <artifactId>central-publishing-maven-plugin</artifactId>
+            <version>0.7.0</version>
+            <extensions>true</extensions>
+            <configuration>
+                <publishingServerId>central</publishingServerId>
+                <autoPublish>true</autoPublish>
+                <skipPublishing>true</skipPublishing>
+            </configuration>
+        </plugin>
+</plugins>
+    </build>
+</project>
diff --git a/src/it/makeAggregateBom/skipped/central-publishing-maven-plugin-property/pom.xml b/src/it/makeAggregateBom/skipped/central-publishing-maven-plugin-property/pom.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  This file is part of CycloneDX Maven Plugin.
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+
+  SPDX-License-Identifier: Apache-2.0
+  Copyright (c) OWASP Foundation. All Rights Reserved.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.cyclonedx.its</groupId>
+        <artifactId>skipped</artifactId>
+        <version>1.0-SNAPSHOT</version>
+    </parent>
+    <artifactId>central-publishing-maven-plugin-property</artifactId>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.cyclonedx</groupId>
+            <artifactId>cyclonedx-core-java</artifactId>
+            <version>9.0.5</version>
+        </dependency>
+    </dependencies>
+
+    <properties>
+       <skipPublishing>true</skipPublishing>
+    </properties>
+
+    <build>
+    <plugins>
+        <plugin>
+            <groupId>org.sonatype.central</groupId>
+            <artifactId>central-publishing-maven-plugin</artifactId>
+            <version>0.7.0</version>
+            <extensions>true</extensions>
+            <configuration>
+                <publishingServerId>central</publishingServerId>
+                <autoPublish>true</autoPublish>
+            </configuration>
+        </plugin>
+</plugins>
+    </build>
+</project>
diff --git a/src/it/makeAggregateBom/skipped/pom.xml b/src/it/makeAggregateBom/skipped/pom.xml
@@ -30,6 +30,8 @@
     <packaging>pom</packaging>
 
     <modules>
+      <module>central-publishing-maven-plugin-config</module>
+      <module>central-publishing-maven-plugin-property</module>
       <module>deploy-property</module>
       <module>deploy-property-force</module>
       <module>deploy-config</module>

diff --git a/src/it/makeAggregateBom/verify.groovy b/src/it/makeAggregateBom/verify.groovy
@@ -25,6 +25,7 @@ void assertNoBomFiles(String path) {
 
 assertBomFiles("target/bom", true) // aggregate
 assertBomFiles("api/target/bom", false)
+assertBomFiles("central-publishing-maven-plugin/target/bom", false)
 assertBomFiles("util/target/bom", false)
 assertBomFiles("impls/target/bom", false)
 assertBomFiles("impls/impl-A/target/bom", false)
@@ -33,23 +34,25 @@ assertBomFiles("skipped/target/bom", false)
 assertBomFiles("skipped/deploy-config-force/target/bom", false)
 assertBomFiles("skipped/deploy-property-force/target/bom", false)
 
+assertNoBomFiles("skipped/central-publishing-maven-plugin-config/target/bom")
+assertNoBomFiles("skipped/central-publishing-maven-plugin-property/target/bom")
 assertNoBomFiles("skipped/deploy-config/target/bom")
 assertNoBomFiles("skipped/deploy-property/target/bom")
 assertNoBomFiles("skipped/nexus-config/target/bom")
 assertNoBomFiles("skipped/nexus-property/target/bom")
 
 var buildLog = new File(basedir, "build.log").text
 
-assert 17 == (buildLog =~ /\[INFO\] CycloneDX: Resolving Dependencies/).size()
+assert 19 == (buildLog =~ /\[INFO\] CycloneDX: Resolving Dependencies/).size()
 assert 2 == (buildLog =~ /\[INFO\] CycloneDX: Resolving Aggregated Dependencies/).size()
 
-// 19 = 9 modules for main cyclonedx-makeAggregateBom execution
+// 21 = 10 modules for main cyclonedx-makeAggregateBom execution
 //    + 1 for root module cyclonedx-makeAggregateBom-root-only execution
-//    + 9 modules for additional cyclonedx-makeBom execution
-assert 19 == (buildLog =~ /\[INFO\] CycloneDX: Writing and validating BOM \(XML\)/).size()
-assert 19 == (buildLog =~ /\[INFO\] CycloneDX: Writing and validating BOM \(JSON\)/).size()
-// cyclonedx-makeAggregateBom-root-only execution skips 7 non-root modules
-assert 8 == (buildLog =~ /\[INFO\] Skipping CycloneDX on non-execution root/).size()
+//    + 10 modules for additional cyclonedx-makeBom execution
+assert 21 == (buildLog =~ /\[INFO\] CycloneDX: Writing and validating BOM \(XML\)/).size()
+assert 21 == (buildLog =~ /\[INFO\] CycloneDX: Writing and validating BOM \(JSON\)/).size()
+// cyclonedx-makeAggregateBom-root-only execution skips 9 non-root modules
+assert 9 == (buildLog =~ /\[INFO\] Skipping CycloneDX on non-execution root/).size()
 
 // [WARNING] artifact org.cyclonedx.its:api:xml:cyclonedx:1.0-SNAPSHOT already attached, replace previous instance
 assert 0 == (buildLog =~ /-SNAPSHOT already attached, replace previous instance/).size()
@@ -84,4 +87,4 @@ assert rootDependencies.contains('<dependency ref="pkg:maven/org.cyclonedx.its/a
 assert rootDependencies.contains('<dependency ref="pkg:maven/org.cyclonedx.its/[email protected]?type=pom"/>')
 assert rootDependencies.contains('<dependency ref="pkg:maven/org.cyclonedx.its/[email protected]?type=jar"/>')
 assert rootDependencies.contains('<dependency ref="pkg:maven/org.cyclonedx.its/[email protected]?type=pom"/>')
-assert 5 == (rootDependencies =~ /<dependency ref="pkg:maven/).size()
+assert 6 == (rootDependencies =~ /<dependency ref="pkg:maven/).size()
diff --git a/src/main/java/org/cyclonedx/maven/BaseCycloneDxMojo.java b/src/main/java/org/cyclonedx/maven/BaseCycloneDxMojo.java
@@ -272,6 +272,7 @@ public abstract class BaseCycloneDxMojo extends AbstractMojo {
      */
     private static final String MAVEN_DEPLOY_PLUGIN = "org.apache.maven.plugins:maven-deploy-plugin";
     private static final String NEXUS_STAGING_PLUGIN = "org.sonatype.plugins:nexus-staging-maven-plugin";
+    private static final String CENTRAL_PUBLISHING_PLUGIN = "org.sonatype.central:central-publishing-maven-plugin";
 
     /**
      * Returns a reference to the current project.
@@ -604,25 +605,33 @@ static boolean isDeployable(final MavenProject project) {
         return isDeployable(project,
                         MAVEN_DEPLOY_PLUGIN,
                         "skip",
-                        "maven.deploy.skip")
+                        "maven.deploy.skip",
+                        "deploy")
                 || isDeployable(project,
                         NEXUS_STAGING_PLUGIN,
                         "skipNexusStagingDeployMojo",
-                        "skipNexusStagingDeployMojo");
+                        "skipNexusStagingDeployMojo",
+                        "deploy")
+                || isDeployable(project,
+                        CENTRAL_PUBLISHING_PLUGIN,
+                        "skipPublishing",
+                        "skipPublishing",
+                        "publish");
     }
 
     private static boolean isDeployable(final MavenProject project,
                                         final String pluginKey,
                                         final String parameter,
-                                        final String propertyName) {
+                                        final String propertyName, 
+                                        final String goal) {
         final Plugin plugin = project.getPlugin(pluginKey);
         if (plugin != null) {
             // Default skip value
             final String property = System.getProperty(propertyName, project.getProperties().getProperty(propertyName));
             final boolean defaultSkipValue = property != null ? Boolean.parseBoolean(property) : false;
             // Find an execution that is not skipped
             for (final PluginExecution execution : plugin.getExecutions()) {
-                if (execution.getGoals().contains("deploy")) {
+                if (execution.getGoals().contains(goal)) {
                     final Xpp3Dom executionConf = (Xpp3Dom) execution.getConfiguration();
                     final Xpp3Dom target = (executionConf == null) ? null : executionConf.getChild(parameter);
                     final boolean skipValue = (target == null) ? defaultSkipValue : Boolean.parseBoolean(target.getValue());