search

CycloneDX / cyclonedx-gradle-plugin

Creates CycloneDX Software Bill of Materials (SBOM) from Gradle projects
https://cyclonedx.org/
Apache License 2.0
149 stars 73 forks source link

Bom file does not have dependencies #264

Open flaviomeira opened 1 year ago

flaviomeira commented 1 year ago

Following the configuration set in readme file the cyclonedxBom task runs without errors, but dependencies does not appear in the generated bom file

tasks.cyclonedxBom {
    setIncludeConfigs(listOf("runtimeClasspath"))
    setSkipConfigs(listOf("compileClasspath", "testCompileClasspath"))
    setSkipProjects(listOf(rootProject.name))
    setProjectType("application")
    setSchemaVersion("1.4")
    setDestination(project.file("build/reports"))
    setOutputName("bom")
    setIncludeBomSerialNumber(false)
    setComponentVersion("2.0.0")
}

./gradlew cyclonedxBom -info

Initialized native services in: /Users/user/.gradle/native
Initialized jansi services in: /Users/user/.gradle/native
The client will now receive all logging from the daemon (pid: 90281). The daemon log file: /Users/user/.gradle/daemon/7.5/daemon-90281.out.log
Starting 5th build in daemon [uptime: 2 hrs 29 mins 47.945 secs, performance: 96%]
Using 12 worker leases.
Now considering [/Users/user/projects/poc-cyclone] as hierarchies to watch
Watching the file system is configured to be enabled if available
File system watching is active
Starting Build
Settings evaluated using settings file '/Users/user/projects/poc-cyclone/settings.gradle.kts'.
Projects loaded. Root project using build file '/Users/user/projects/poc-cyclone/build.gradle.kts'.
Included projects: [root project 'Cyclone', project ':app', project ':login']

> Configure project :
Evaluating root project 'Cyclone' using build file '/Users/user/projects/poc-cyclone/build.gradle.kts'.
Caching disabled for Kotlin DSL accessors for root project 'Cyclone' because:
  Build cache is disabled
Skipping Kotlin DSL accessors for root project 'Cyclone' as it is up-to-date.

> Configure project :app
Evaluating project ':app' using build file '/Users/user/projects/poc-cyclone/app/build.gradle.kts'.
Using default execution profile
Using Kotlin Gradle Plugin gradle70 variant
Caching disabled for Kotlin DSL accessors for project ':app' because:
  Build cache is disabled
Skipping Kotlin DSL accessors for project ':app' as it is up-to-date.
Parsed shrinker version: 4.0.48

> Configure project :login
Evaluating project ':login' using build file '/Users/user/projects/poc-cyclone/login/build.gradle.kts'.
Using default execution profile
Using Kotlin Gradle Plugin gradle70 variant
Caching disabled for Kotlin DSL accessors for project ':login' because:
  Build cache is disabled
Skipping Kotlin DSL accessors for project ':login' as it is up-to-date.
Parsed shrinker version: 4.0.48
All projects evaluated.
Task name matched 'cyclonedxBom'
Selected primary task 'cyclonedxBom' from project :
Tasks to be executed: [task ':cyclonedxBom']
Tasks that were excluded: []
Resolve mutations for :cyclonedxBom (Thread[#790,Execution worker,5,main]) started.
:cyclonedxBom (Thread[#792,Execution worker Thread 3,5,main]) started.
producer locations for task group 0 (Thread[#794,Execution worker Thread 5,5,main]) started.
Resolve mutations for :cyclonedxBom (Thread[#790,Execution worker,5,main]) completed. Took 0.0 secs.
producer locations for task group 0 (Thread[#794,Execution worker Thread 5,5,main]) completed. Took 0.0 secs.

> Task :cyclonedxBom
Watching 1 directory hierarchies to track changes
Caching disabled for task ':cyclonedxBom' because:
  Build cache is disabled
Task ':cyclonedxBom' is not up-to-date because:
  Output property 'destination' file /Users/user/projects/poc-cyclone/build/reports/bom.json has been removed.
  Output property 'destination' file /Users/user/projects/poc-cyclone/build/reports/bom.xml has been removed.
Not watching anything anymore
Watching 0 directory hierarchies to track changes
CycloneDX: Parameters
------------------------------------------------------------------------
schemaVersion          : 1.4
includeBomSerialNumber : false
includeConfigs         : [runtimeClasspath]
skipConfigs            : [compileClasspath, testCompileClasspath]
skipProjects           : [Cyclone]
destination            : /Users/user/projects/poc-cyclone/build/reports
outputName             : bom
------------------------------------------------------------------------
CycloneDX: Resolving Dependencies
CycloneDX: Creating BOM
CycloneDX: Writing BOM XML
CycloneDX: Validating BOM
CycloneDX: Writing BOM JSON
CycloneDX: Validating BOM
Watching 1 directory hierarchies to track changes
:cyclonedxBom (Thread[#792,Execution worker Thread 3,5,main]) completed. Took 0.097 secs.

BUILD SUCCESSFUL in 1s

Generated bom file

{
  "bomFormat" : "CycloneDX",
  "specVersion" : "1.4",
  "version" : 1,
  "metadata" : {
    "timestamp" : "2023-01-27T14:29:25Z",
    "tools" : [
      {
        "vendor" : "CycloneDX",
        "name" : "cyclonedx-gradle-plugin",
        "version" : "1.7.3"
      }
    ],
    "component" : {
      "group" : "group",
      "name" : "Cyclone",
      "version" : "2.0.0",
      "purl" : "pkg:maven/group/Cyclone@unspecified?type=pom",
      "type" : "application",
      "bom-ref" : "pkg:maven/group/Cyclone@unspecified?type=pom"
    }
  },
  "components" : [
    {
      "group" : "Cyclone",
      "name" : "login",
      "version" : "unspecified",
      "purl" : "pkg:maven/Cyclone/login@unspecified?type=jar",
      "type" : "library",
      "bom-ref" : "pkg:maven/Cyclone/login@unspecified?type=jar"
    },
    {
      "group" : "Cyclone",
      "name" : "app",
      "version" : "unspecified",
      "purl" : "pkg:maven/Cyclone/app@unspecified?type=jar",
      "type" : "library",
      "bom-ref" : "pkg:maven/Cyclone/app@unspecified?type=jar"
    }
  ],
  "dependencies" : [
    {
      "ref" : "pkg:maven/group/Cyclone@unspecified?type=pom",
      "dependsOn" : [
        "pkg:maven/Cyclone/app@unspecified?type=jar",
        "pkg:maven/Cyclone/login@unspecified?type=jar"
      ]
    }
  ]
}

I tried to fix with the following configuration

tasks.cyclonedxBom {
    setIncludeConfigs(listOf("debugCompileClasspath"))  // Changing to debugCompileClasspath
    setSkipConfigs(listOf("compileClasspath", "testCompileClasspath"))
    setSkipProjects(listOf(rootProject.name))
    setProjectType("application")
    setSchemaVersion("1.4")
    setDestination(project.file("build/reports"))
    setOutputName("bom")
    setIncludeBomSerialNumber(false)
    setComponentVersion("2.0.0")
}

But cyclonedxBom runs with erros (./gradlew cyclonedxBom -info)

Initialized native services in: /Users/user/.gradle/native
Initialized jansi services in: /Users/user/.gradle/native
The client will now receive all logging from the daemon (pid: 90281). The daemon log file: /Users/user/.gradle/daemon/7.5/daemon-90281.out.log
Starting 6th build in daemon [uptime: 2 hrs 40 mins 8.417 secs, performance: 96%]
Using 12 worker leases.
Now considering [/Users/user/projects/poc-cyclone] as hierarchies to watch
Watching the file system is configured to be enabled if available
Now considering [/Users/user/projects/poc-cyclone] as hierarchies to watch
File system watching is active
Starting Build
Settings evaluated using settings file '/Users/user/projects/poc-cyclone/settings.gradle.kts'.
Projects loaded. Root project using build file '/Users/user/projects/poc-cyclone/build.gradle.kts'.
Included projects: [root project 'Cyclone', project ':app', project ':login']

> Configure project :
Evaluating root project 'Cyclone' using build file '/Users/user/projects/poc-cyclone/build.gradle.kts'.
Caching disabled for Kotlin DSL accessors for root project 'Cyclone' because:
  Build cache is disabled
Skipping Kotlin DSL accessors for root project 'Cyclone' as it is up-to-date.

> Configure project :app
Evaluating project ':app' using build file '/Users/user/projects/poc-cyclone/app/build.gradle.kts'.
Using default execution profile
Using Kotlin Gradle Plugin gradle70 variant
Caching disabled for Kotlin DSL accessors for project ':app' because:
  Build cache is disabled
Skipping Kotlin DSL accessors for project ':app' as it is up-to-date.
Parsed shrinker version: 4.0.48

> Configure project :login
Evaluating project ':login' using build file '/Users/user/projects/poc-cyclone/login/build.gradle.kts'.
Using default execution profile
Using Kotlin Gradle Plugin gradle70 variant
Caching disabled for Kotlin DSL accessors for project ':login' because:
  Build cache is disabled
Skipping Kotlin DSL accessors for project ':login' as it is up-to-date.
Parsed shrinker version: 4.0.48
All projects evaluated.
Task name matched 'cyclonedxBom'
Selected primary task 'cyclonedxBom' from project :
Tasks to be executed: [task ':cyclonedxBom']
Tasks that were excluded: []
Resolve mutations for :cyclonedxBom (Thread[#937,Execution worker,5,main]) started.
:cyclonedxBom (Thread[#940,Execution worker Thread 4,5,main]) started.
producer locations for task group 0 (Thread[#938,Execution worker Thread 2,5,main]) started.
producer locations for task group 0 (Thread[#938,Execution worker Thread 2,5,main]) completed. Took 0.0 secs.
Resolve mutations for :cyclonedxBom (Thread[#937,Execution worker,5,main]) completed. Took 0.0 secs.

> Task :cyclonedxBom
Watching 1 directory hierarchies to track changes
Caching disabled for task ':cyclonedxBom' because:
  Build cache is disabled
Task ':cyclonedxBom' is not up-to-date because:
  Value of input property 'includeConfigs' has changed for task ':cyclonedxBom'
Not watching anything anymore
Watching 0 directory hierarchies to track changes
CycloneDX: Parameters
------------------------------------------------------------------------
schemaVersion          : 1.4
includeBomSerialNumber : false
includeConfigs         : [debugCompileClasspath]
skipConfigs            : [compileClasspath, testCompileClasspath]
skipProjects           : [Cyclone]
destination            : /Users/user/projects/poc-cyclone/build/reports
outputName             : bom
------------------------------------------------------------------------
CycloneDX: Resolving Dependencies
Watching 1 directory hierarchies to track changes

> Task :cyclonedxBom FAILED
:cyclonedxBom (Thread[#940,Execution worker Thread 4,5,main]) completed. Took 2.427 secs.

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':cyclonedxBom'.
> The consumer was configured to find an API of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'debug', attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.4.0', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm'. However we cannot choose between the following variants of project :login:
    - Configuration ':login:debugApiElements' variant android-aidl declares an API of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.4.0', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'debug', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'android-aidl' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'debug' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it
    - Configuration ':login:debugApiElements' variant android-lint-local-aar declares an API of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.4.0', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'debug', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'android-lint-local-aar' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'debug' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it
    - Configuration ':login:debugApiElements' variant android-lint-model-metadata declares an API of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.4.0', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'debug', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'android-lint-model-metadata' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'debug' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it
    - Configuration ':login:debugApiElements' variant android-lint-variant-dependencies-model declares an API of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.4.0', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'debug', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'android-lint-variant-dependencies-model' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'debug' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it
    - Configuration ':login:debugApiElements' variant android-lint-variant-dependencies-partial-results declares an API of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.4.0', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'debug', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'android-lint-variant-dependencies-partial-results' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'debug' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it
    - Configuration ':login:debugApiElements' variant android-manifest declares an API of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.4.0', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'debug', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'android-manifest' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'debug' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it
    - Configuration ':login:debugApiElements' variant android-renderscript declares an API of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.4.0', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'debug', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'android-renderscript' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'debug' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it
    - Configuration ':login:debugApiElements' variant android-symbol-with-package-name declares an API of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.4.0', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'debug', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'android-symbol-with-package-name' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'debug' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --debug option to get more log output.
> Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 4s

In order to run cyclonedxBom task successfully, we set 'configuration to default' in app dependencies. app/build.gradle.kts implementation(project(mapOf("path" to ":login", "configuration" to "default"))) With this configuration, cyclonedxBom task runs without errors and the bom file contains the project dependencies correctly (at first sight).

The problem with this configuration is that it breaks the app build, with the following error e: /Users/user/projects/poc-cyclone/app/src/main/java/com/poc/cyclone/view/MainActivity.kt: (12, 24): Unresolved reference: login MainActivity.kt (line 12) import com.poc.cyclone.login.LoginActivity //Unresolved reference: LoginActivity

It seems to be a misconfiguration in the project, but I couldn't find the correct configuration.

This is the repo with this project: https://github.com/saviolli/poc-cyclone

rkg-mm commented 1 year ago

having the same problem in an android project

kito99 commented 1 year ago

This looks like a duplicate of #223. (I'm having the same problem.)