search

CycloneDX / cyclonedx-core-java

CycloneDX SBOM Model and Utils for Creating and Validating BOMs
https://cyclonedx.org/
Apache License 2.0
81 stars 59 forks source link

Compatility issues with dependency-check - no release of cyclonedx-core-java since oct 23 #399

Closed boardbloke closed 3 months ago

boardbloke commented 5 months ago

I can see on master, in pom.xml that jackson-dataformat-xml 2.16.1, but the currently released version (8.0.3) uses v2.15.3.

When used in a Gradle build (via the Cyclone DXP Plugin) that causes incompatibility issues with other plugins - like the dependency-check OWASP plugin - which is already using jackson v 2.16.1

That is, the version of jackson selected by Gradle for a build that contains both cyclone and owasp plugins is 2.16.1 and that causes cylonedx to crash.

Can we have a release that reflects what is on master please?

Many Thanks! Neilll

boardbloke commented 5 months ago

I should add, when there is a version conflict I see the following in my build output when running the cycloneDx task from the Gradle plugin -

Execution failed for task ':cyclonedxBom'.

'void com.fasterxml.jackson.core.base.GeneratorBase.(int, com.fasterxml.jackson.core.ObjectCodec, com.fasterxml.jackson.core.io.IOContext)'

Not sure if that is this library or the grdale plugin code that uses it though...

nscuro commented 3 months ago

Jackson was updated to 2.17.1 in the recent 9.x releases.