[Java][CI] Failed to generate SBOM by CycloneDX

[kou]

Describe the bug, including details regarding any error messages, version, and platform.

https://github.com/ursacomputing/crossbow/actions/runs/4675892709/jobs/8296102801#step:6:17292

[INFO] CycloneDX: Resolving Dependencies
Error: [ERROR] An error occurred attempting to read POM
org.codehaus.plexus.util.xml.pull.XmlPullParserException: UTF-8 BOM plus xml decl of ISO-8859-1 is incompatible (position: START_DOCUMENT seen <?xml version="1.0" encoding="ISO-8859-1"... @1:42) 
    at org.codehaus.plexus.util.xml.pull.MXParser.parseXmlDeclWithVersion (MXParser.java:3439)
    at org.codehaus.plexus.util.xml.pull.MXParser.parseXmlDecl (MXParser.java:3361)
    at org.codehaus.plexus.util.xml.pull.MXParser.parsePI (MXParser.java:3213)
    at org.codehaus.plexus.util.xml.pull.MXParser.parseProlog (MXParser.java:1828)
    at org.codehaus.plexus.util.xml.pull.MXParser.nextImpl (MXParser.java:1757)
    at org.codehaus.plexus.util.xml.pull.MXParser.next (MXParser.java:1375)
    at org.apache.maven.model.io.xpp3.MavenXpp3Reader.read (MavenXpp3Reader.java:3940)
    at org.apache.maven.model.io.xpp3.MavenXpp3Reader.read (MavenXpp3Reader.java:612)
    at org.apache.maven.model.io.xpp3.MavenXpp3Reader.read (MavenXpp3Reader.java:627)
    at org.cyclonedx.maven.BaseCycloneDxMojo.readPom (BaseCycloneDxMojo.java:759)
    at org.cyclonedx.maven.BaseCycloneDxMojo.readPom (BaseCycloneDxMojo.java:746)
    at org.cyclonedx.maven.BaseCycloneDxMojo.retrieveParentProject (BaseCycloneDxMojo.java:694)
    at org.cyclonedx.maven.BaseCycloneDxMojo.getClosestMetadata (BaseCycloneDxMojo.java:524)
    at org.cyclonedx.maven.BaseCycloneDxMojo.convert (BaseCycloneDxMojo.java:481)
    at org.cyclonedx.maven.CycloneDxMojo.execute (CycloneDxMojo.java:70)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:126)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:342)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:330)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:213)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:175)
    at org.apache.maven.lifecycle.internal.MojoExecutor.access$000 (MojoExecutor.java:76)
    at org.apache.maven.lifecycle.internal.MojoExecutor$1.run (MojoExecutor.java:163)
    at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute (DefaultMojosExecutionStrategy.java:39)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:160)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:105)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:73)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:53)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:118)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:261)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:173)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:101)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:827)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:272)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:195)
    at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:498)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
[INFO] CycloneDX: Creating BOM
[INFO] CycloneDX: Writing BOM (XML): /Users/runner/work/crossbow/crossbow/arrow/java/vector/target/bom.xml
[INFO] CycloneDX: Validating BOM (XML): /Users/runner/work/crossbow/crossbow/arrow/java/vector/target/bom.xml
[INFO] CycloneDX: Writing BOM (JSON): /Users/runner/work/crossbow/crossbow/arrow/java/vector/target/bom.json
[INFO] CycloneDX: Validating BOM (JSON): /Users/runner/work/crossbow/crossbow/arrow/java/vector/target/bom.json
Warning:  Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword

Component(s)

Continuous Integration, Java

[kou]

@dongjoon-hyun Could you take a look at this because you introduce this feature by #15267?

[dongjoon-hyun]

Hi, @kou . Did you change Apache Maven version or CycloneDX plugin version? There was a reported issue for that combinations.

In Apache Spark community, we used a fixed Maven version to avoid Apache Maven project regression.

https://github.com/apache/spark/blob/2931993e059f5d3741fc09438b7da88ccd8d4446/pom.xml#L116

<maven.version>3.8.7</maven.version>

[kou]

@dongjoon-hyun Thanks for taking a look at this! Sorry. I'm not familiar with Java but it seems that we didn't change Apache Maven version nor CycloneDX plugin version explicitly. You pinned CycloneDX plugin version in #15267. So CycloneDX plugin version may not be changed. But it seems that we don't pin Apache Maven's version explicitly. So Apache Maven version may be changed.

There was a reported issue for that combinations.

Could you share the URL of the report?

[dongjoon-hyun]

Thank you. I'll check more in Arrow repository.

The report came from Apache Hadoop community while Apache ORC, Apache Parquet, Apache Zookeeper, Apache Spark 3.4.0 RC7 (vote will finished tonight) published SBOM successfully.

• Apache Hadoop: apache/hadoop@55254de
• Apache ORC 1.7.8: https://repo1.maven.org/maven2/org/apache/orc/orc-core/1.7.8/orc-core-1.7.8-cyclonedx.json
• Apache ORC 1.8.2: https://repo1.maven.org/maven2/org/apache/orc/orc-core/1.8.2/orc-core-1.8.2-cyclonedx.json
• Apache ORC 1.8.3: https://repo1.maven.org/maven2/org/apache/orc/orc-core/1.8.3/orc-core-1.8.3-cyclonedx.json
• Apache Parquet 1.13.0: https://repo1.maven.org/maven2/org/apache/parquet/parquet-common/1.13.0/parquet-common-1.13.0-cyclonedx.json
• Apache Zookeeper 3.8.1: https://repo1.maven.org/maven2/org/apache/zookeeper/zookeeper/3.8.1/zookeeper-3.8.1-cyclonedx.json
• Apache Spark 3.4.0 RC7: https://repository.apache.org/content/repositories/orgapachespark-1441/org/apache/spark/spark-core_2.12/3.4.0/spark-core_2.12-3.4.0-cyclonedx.json

[dongjoon-hyun]

BTW, from Spark community, we found that cyclonedx plugin 2.7.5 has some issues, but cyclones plugin 2.7.6 works fine.

I verified the reported Arrow build issue locally with the following command and verified that new latest plugin fixes it, @kou .

$ mvn clean package -DskipTests --pl vector --am

Let me make a PR.

[dongjoon-hyun]

Here is the PR.

• GH-35086: Upgrade cyclonedx-maven-plugin to 2.7.6 #35094

[kou]

Thanks for the information!
Sorry... I'm trying 2.7.6 in #35092...

[dongjoon-hyun]

No problem at all. Thank you always. 👍🏻