Hello, While looking at differences in generated CycloneDX SBOMs[1] I stumbled upon an incoherence in the way Maven builds models of a project's dependencies.
On one hand the properties defined in a project have no effect on the effective models of dependencies. For example in: <properties> <log4j2.version>3.0.0-beta1</log4j2.version> </properties> <dependencyManagement> <dependencies> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-boot-dependencies</artifactId> <version>3.2.0</version> <type>pom</type> <scope>import</scope> </dependency> </dependencies> </dependencyManagement> the `log4j2.version` property will have no effect on the resolved effective model of `spring-boot-dependencies`, even if the POM also uses a `log4j2.version` variable[2]. On the other hand profiles change the effective model of a dependency. E.g. using: <dependencies> <dependency> <groupId>commons-pool</groupId> <artifactId>commons-pool</artifactId> <version>1.5.4</version> </dependency> </dependencies> the effective model of `commons-pool` will have a different `<distributionManagement>` element if I run the project with `-Prelease` or without it. Is this an intentional choice or is it a bug? I suppose that profiles might influence the other artifacts in a Maven reactor, but I am not sure external dependencies should be influenced as well. Piotr [1] https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/432 [2] https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-dependencies/3.2.0/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org