CycloneDX
diff --git a/‎README.md‎
Lines changed: 29 additions & 0 deletions b/‎README.md‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎src/main/java/org/cyclonedx/maven/BaseCycloneDxMojo.java‎
Lines changed: 74 additions & 1 deletion b/‎src/main/java/org/cyclonedx/maven/BaseCycloneDxMojo.java‎
Lines changed: 74 additions & 1 deletion
diff --git a/‎src/main/java/org/cyclonedx/maven/DefaultModelConverter.java‎
Lines changed: 130 additions & 0 deletions b/‎src/main/java/org/cyclonedx/maven/DefaultModelConverter.java‎
Lines changed: 130 additions & 0 deletions
@@ -58,6 +58,8 @@ Default Values
             <outputName>bom</outputName>
             <outputDirectory>${project.build.directory}</outputDirectory><!-- usually target, if not redefined in pom.xml -->
             <verbose>false</verbose><!-- = ${cyclonedx.verbose} -->
+            <preserveParentReferences>false</preserveParentReferences>
+            <includeParentsAsComponents>true</includeParentsAsComponents>
         </configuration>
     </plugin>
 </plugins>
@@ -67,6 +69,33 @@ Default Values
 
 See also [External References](https://cyclonedx.github.io/cyclonedx-maven-plugin/external-references.html) documentation for details on this topic.
 
+Parent POM Preservation
+-------------------
+By default, the plugin flattens the Maven effective POM model, merging all dependencies from parent POMs into a single list. When `preserveParentReferences` is enabled, the plugin preserves the parent POM hierarchy:
+
+* **`preserveParentReferences`**: Enable parent POM preservation (default: `false`)
+  * When `true`, parent POMs become direct dependencies of the component that references them
+  * Walks the entire parent chain recursively (child ? parent ? grandparent ? ...)
+  * Dependencies inherited from parent POMs are reorganized to depend on their introducing parent
+
+* **`includeParentsAsComponents`**: Include parent POMs in the components section (default: `true`)
+  * When `true`, parent POMs appear as components in the BOM
+  * When `false`, parent POMs are referenced only in the dependency graph but not listed as components
+
+Example configuration to preserve parent POM references:
+
+```xml
+<configuration>
+    <preserveParentReferences>true</preserveParentReferences>
+    <includeParentsAsComponents>true</includeParentsAsComponents>
+</configuration>
+```
+
+This is useful for:
+* Understanding the complete project structure including parent POMs
+* Tracking which parent POM introduces specific dependencies
+* Maintaining visibility of the full Maven inheritance hierarchy
+
 Excluding Projects
 -------------------
 With `makeAggregateBom` goal, it is possible to exclude certain Maven reactor projects (aka modules) from getting included in the aggregate BOM:
 
@@ -183,6 +183,25 @@ public abstract class BaseCycloneDxMojo extends AbstractMojo {
     @Parameter(property = "detectUnusedForOptionalScope", defaultValue = "false")
     protected boolean detectUnusedForOptionalScope;
 
+    /**
+     * Should parent POM references be preserved as dependencies instead of being flattened in the effective POM?
+     * When enabled, if a project has a parent POM, the parent will be added as a direct dependency.
+     *
+     * @since 3.0.0
+     */
+    @Parameter(property = "preserveParentReferences", defaultValue = "false", required = false)
+    protected boolean preserveParentReferences;
+
+    /**
+     * When preserveParentReferences is enabled, this controls whether parent POMs should be included
+     * as components in the BOM or only as dependency relationships.
+     * Only takes effect when preserveParentReferences is true.
+     *
+     * @since 3.0.0
+     */
+    @Parameter(property = "includeParentsAsComponents", defaultValue = "true", required = false)
+    protected boolean includeParentsAsComponents;
+
     /**
      * Skip CycloneDX execution.
      *
@@ -472,7 +491,7 @@ private void saveBomToFile(String bomString, String extension, Parser bomParser)
 
     protected BomDependencies extractBOMDependencies(MavenProject mavenProject) throws MojoExecutionException {
         ProjectDependenciesConverter.MavenDependencyScopes include = new ProjectDependenciesConverter.MavenDependencyScopes(includeCompileScope, includeProvidedScope, includeRuntimeScope, includeTestScope, includeSystemScope);
-        return projectDependenciesConverter.extractBOMDependencies(mavenProject, include, excludeTypes);
+        return projectDependenciesConverter.extractBOMDependencies(mavenProject, include, excludeTypes, preserveParentReferences);
     }
 
     /**
@@ -527,6 +546,16 @@ protected void populateComponents(final Set<String> topLevelComponents, final Ma
         for (Map.Entry<String, Artifact> entry: artifacts.entrySet()) {
             final String purl = entry.getKey();
             final Artifact artifact = entry.getValue();
+            
+            // Skip parent POMs if includeParentsAsComponents is false
+            if (preserveParentReferences && !includeParentsAsComponents && "pom".equals(artifact.getType())) {
+                // Check if this artifact is a parent POM by seeing if it's referenced as a parent
+                if (isParentArtifact(artifact, artifacts)) {
+                    getLog().debug("Skipping parent POM component (includeParentsAsComponents=false): " + purl);
+                    continue;
+                }
+            }
+            
             final Component.Scope artifactScope = getComponentScope(artifact, dependencyAnalysis);
             final Component component = components.get(purl);
             if (component == null) {
@@ -634,4 +663,48 @@ private static boolean isDeployable(final MavenProject project,
         }
         return false;
     }
+
+    /**
+     * Checks if an artifact is a parent POM by determining if any other artifact references it as a parent.
+     *
+     * @param candidate the artifact to check
+     * @param artifacts all artifacts in the project
+     * @return true if the candidate is a parent of any artifact
+     */
+    private boolean isParentArtifact(Artifact candidate, Map<String, Artifact> artifacts) {
+        if (!"pom".equals(candidate.getType())) {
+            return false;
+        }
+        
+        // First check if the main project has this as a parent
+        if (getProject().hasParent() && getProject().getParent() != null) {
+            MavenProject parent = getProject().getParent();
+            if (parent.getGroupId().equals(candidate.getGroupId()) &&
+                parent.getArtifactId().equals(candidate.getArtifactId()) &&
+                parent.getVersion().equals(candidate.getVersion())) {
+                return true;
+            }
+        }
+        
+        // Check each artifact to see if this candidate is its parent
+        for (Artifact artifact : artifacts.values()) {
+            // Skip comparing the artifact with itself (by coordinates, not object identity)
+            if (artifact.getGroupId().equals(candidate.getGroupId()) &&
+                artifact.getArtifactId().equals(candidate.getArtifactId()) &&
+                artifact.getVersion().equals(candidate.getVersion())) {
+                continue;
+            }
+            
+            if (modelConverter.hasParentPom(artifact)) {
+                Artifact parent = modelConverter.getParentArtifact(artifact);
+                if (parent != null && 
+                    parent.getGroupId().equals(candidate.getGroupId()) &&
+                    parent.getArtifactId().equals(candidate.getArtifactId()) &&
+                    parent.getVersion().equals(candidate.getVersion())) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
 }
@@ -27,9 +27,11 @@
 import org.apache.maven.execution.MavenSession;
 import org.apache.maven.model.MailingList;
 import org.apache.maven.model.building.ModelBuildingRequest;
+import org.apache.maven.project.DefaultProjectBuildingRequest;
 import org.apache.maven.project.MavenProject;
 import org.apache.maven.project.ProjectBuilder;
 import org.apache.maven.project.ProjectBuildingException;
+import org.apache.maven.project.ProjectBuildingRequest;
 import org.apache.maven.project.ProjectBuildingResult;
 import org.apache.maven.repository.RepositorySystem;
 import org.cyclonedx.Version;
@@ -56,8 +58,10 @@
 import java.net.URISyntaxException;
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Properties;
+import java.util.Set;
 import java.util.TreeMap;
 import java.util.stream.Collectors;
 import org.apache.maven.model.Plugin;
@@ -443,4 +447,130 @@ private static boolean isBlank(String s) {
     private static boolean isLicenseBlank(org.apache.maven.model.License license) {
         return isBlank(license.getName()) && isBlank(license.getUrl());
     }
+
+    @Override
+    public boolean hasParentPom(Artifact artifact) {
+        try {
+            final Artifact pomArtifact = repositorySystem.createProjectArtifact(artifact.getGroupId(), artifact.getArtifactId(), artifact.getVersion());
+            final ProjectBuildingResult build = mavenProjectBuilder.build(pomArtifact,
+                    session.getProjectBuildingRequest()
+                        .setValidationLevel(ModelBuildingRequest.VALIDATION_LEVEL_MINIMAL)
+                        .setProcessPlugins(false)
+                        .setResolveDependencies(false)
+            );
+            final MavenProject project = build.getProject();
+            return project.hasParent() && project.getParent() != null;
+        } catch (ProjectBuildingException e) {
+            logger.debug("Unable to check parent for " + artifact.getId(), e);
+            return false;
+        }
+    }
+
+    @Override
+    public Artifact getParentArtifact(Artifact artifact) {
+        try {
+            final Artifact pomArtifact = repositorySystem.createProjectArtifact(artifact.getGroupId(), artifact.getArtifactId(), artifact.getVersion());
+            final ProjectBuildingResult build = mavenProjectBuilder.build(pomArtifact,
+                    session.getProjectBuildingRequest()
+                        .setValidationLevel(ModelBuildingRequest.VALIDATION_LEVEL_MINIMAL)
+                        .setProcessPlugins(false)
+                        .setResolveDependencies(false)
+            );
+            final MavenProject project = build.getProject();
+            if (project.hasParent() && project.getParent() != null) {
+                final MavenProject parent = project.getParent();
+                // Create an artifact for the parent POM
+                return new DefaultArtifact(
+                    parent.getGroupId(),
+                    parent.getArtifactId(),
+                    parent.getVersion(),
+                    null, // scope
+                    "pom", // type
+                    null, // classifier
+                    new DefaultArtifactHandler("pom")
+                );
+            }
+        } catch (ProjectBuildingException e) {
+            logger.debug("Unable to get parent for " + artifact.getId(), e);
+        }
+        return null;
+    }
+
+    @Override
+    public Set<String> getDirectDependencyPurls(Artifact artifact) {
+        final Set<String> directDeps = new HashSet<>();
+        
+        try {
+            // Build the artifact's POM to get its model
+            final DefaultArtifact pomArtifact = new DefaultArtifact(
+                artifact.getGroupId(),
+                artifact.getArtifactId(),
+                artifact.getVersion(),
+                null,  // scope
+                "pom",
+                null,  // classifier
+                new DefaultArtifactHandler("pom")
+            );
+
+            final ProjectBuildingRequest buildingRequest = new DefaultProjectBuildingRequest(session.getProjectBuildingRequest());
+            buildingRequest.setValidationLevel(ModelBuildingRequest.VALIDATION_LEVEL_MINIMAL);
+            buildingRequest.setResolveDependencies(false);
+            buildingRequest.setProcessPlugins(false);
+
+            final ProjectBuildingResult build = mavenProjectBuilder.build(pomArtifact, buildingRequest);
+            final MavenProject project = build.getProject();
+
+            // Get dependencies from the original model
+            if (project.getOriginalModel() != null && project.getOriginalModel().getDependencies() != null) {
+                for (org.apache.maven.model.Dependency dep : project.getOriginalModel().getDependencies()) {
+                    try {
+                        // Skip if essential coordinates are missing
+                        if (dep.getGroupId() == null || dep.getArtifactId() == null) {
+                            continue;
+                        }
+                        
+                        // Version might be null if inherited from dependencyManagement
+                        String version = dep.getVersion();
+                        if (version == null) {
+                            // Try to find the version from the effective dependencies
+                            for (org.apache.maven.model.Dependency effectiveDep : project.getDependencies()) {
+                                if (dep.getGroupId().equals(effectiveDep.getGroupId()) && 
+                                    dep.getArtifactId().equals(effectiveDep.getArtifactId())) {
+                                    version = effectiveDep.getVersion();
+                                    break;
+                                }
+                            }
+                        }
+                        
+                        // If we still don't have a version, skip this dependency
+                        if (version == null) {
+                            logger.debug("Skipping dependency without version: " + dep.getGroupId() + ":" + dep.getArtifactId());
+                            continue;
+                        }
+                        
+                        // Create an artifact to generate the pURL
+                        final DefaultArtifact depArtifact = new DefaultArtifact(
+                            dep.getGroupId(),
+                            dep.getArtifactId(),
+                            version,
+                            dep.getScope(),
+                            dep.getType() != null ? dep.getType() : "jar",
+                            dep.getClassifier(),
+                            new DefaultArtifactHandler(dep.getType() != null ? dep.getType() : "jar")
+                        );
+                        final String purl = generatePackageUrl(depArtifact);
+                        if (purl != null) {
+                            directDeps.add(purl);
+                        }
+                    } catch (Exception e) {
+                        logger.warn("Error processing dependency " + dep.getGroupId() + ":" + dep.getArtifactId(), e);
+                    }
+                }
+            }
+        } catch (Exception e) {
+            logger.warn("Error loading POM for artifact " + artifact.getId(), e);
+        }
+        
+        return directDeps;
+    }
 }