Update CycloneDX Maven plugin version to 2.9.0

[o-liver]

Description

The older version is not java 21 compatible. We see the following error:

Error: Failed to execute goal org.cyclonedx:cyclonedx-maven-plugin:2.7.5:makeAggregateBom (default-cli) on project btc-cross-healthcheck-srv: Execution default-cli of goal org.cyclonedx:cyclonedx-maven-plugin:2.7.5:makeAggregateBom failed: Unsupported class file major version 65 -> [Help 1]

Checklist

• Code compiles correctly
• Relevant tests were added (unit / contract / integration)
• Relevant logs were added
• Formatting and linting run locally successfully
• All tests pass
• UA review
• Design is documented
• Extended the README / documentation, if necessary
• Open source is approved

[littleamigo]

@kbarnold Would you be so nice and review/merge this fix and then release a new image on docker hub?

[o-liver]

The thing is that this issue existed before the last release. If you look at git blame this was introduced with a lower version than the non-custom case 11 months ago. I don't know the reason for that? Why was it not simply copied from the non-custom case 10 lines above? Maybe there is a reason and we should not change it 🤔

[o-liver]

In any case, for all custom build users there is a workaround (according to AI, did not test it myself!) by setting the sbom-create-commands parameter at the right place in the mta.yaml, e.g.:

modules:
  - name: your-module
    type: java
    build-parameters:
      builder: custom
      sbom-create-commands:
        - mvn org.cyclonedx:cyclonedx-maven-plugin:2.9.0:makeAggregateBom -DschemaVersion=1.4 -DincludeBomSerialNumber=true -DincludeCompileScope=true -DincludeRuntimeScope=true -DincludeSystemScope=true -DincludeTestScope=false -DincludeLicenseText=false -DoutputFormat=xml -DoutputName=${sbom-file-name}

It would be great if people could test this and report back here if it works for them. That would also give us a heads-up whether this solution works at all.

[o-liver]

The thing is that this issue existed before the last release. If you look at git blame this was introduced with a lower version than the non-custom case 11 months ago. I don't know the reason for that? Why was it not simply copied from the non-custom case 10 lines above? Maybe there is a reason and we should not change it 🤔

Ok, now I got it: This was never released. It comes from this huge PR #1154 that was never released and thus never field tested. Who knows what else went into the master and then just lay about before this release more than one year later 😦

[wlsc]

The thing is that this issue existed before the last release. If you look at git blame this was introduced with a lower version than the non-custom case 11 months ago. I don't know the reason for that? Why was it not simply copied from the non-custom case 10 lines above? Maybe there is a reason and we should not change it 🤔

I know the answer here: yes, it was introduced 11 month ago, but latest build until the recent fix that got released was more than 1 year ago in November or so 2024

[littleamigo]

Are we going to merge the fix or not? If so, what's stopping us from merging it soon?

[o-liver]

It needs an approval from a person with the right authority.

[littleamigo]

I hope Ken picks it up soon 🙇

[kbarnold]

I hope Ken picks it up soon 🙇

I want to have this in the next release.