search

CycloneDX / cyclonedx-gradle-plugin

Creates CycloneDX Software Bill of Materials (SBOM) from Gradle projects
https://cyclonedx.org/
Apache License 2.0
155 stars 73 forks source link

One SBOM file for all dependencies in a multi-module Android project #288

Open mindhacker42 opened 1 year ago

mindhacker42 commented 1 year ago

Is it possible to generate with this plugin one big SBOM file that would include all dependencies from a multi-module project?

We have a common setup where there is app module which includes other modules via implementation project('module1'). In the generated SBOM file there the dependencies listed are only for non-project dependencies, i.e. implementation 'com.squareup.retrofit2:retrofit:2.9.0', but not for project dependencies. Because of that we don't get all dependencies listed for app module and would need to resort to somehow gather all SBOMs per module and merge them together.

ronanbrowne commented 1 year ago

@mindhacker42, did you find any solution to this we see the same on large multi-module builds, I want one SBOM not dozens

mandrachek commented 11 months ago

I'm having problems getting it to work at all... but theoretically, if you apply the plugin only in your :app module, it should find all the dependencies from your child modules (since the app module depends on them). This is how the owasp dependency checker works anyway - you don't need it on each feature/library module.

ankursharma180 commented 7 months ago

In maven project, we can achieve that using below plugin, the aggregated bom.xml for all projects, isn't there a similar kind of plugin for gradle ? anything which can help generating aggregated bom ?

<plugin>
    <groupId>org.cyclonedx</groupId>
    <artifactId>cyclonedx-maven-plugin</artifactId>
    <version>2.7.11</version>
    <executions>
        <execution>
            <goals>
                <goal>makeAggregateBom</goal>
            </goals>
        </execution>
    </executions>
</plugin>
vajain-1982 commented 6 months ago

Any solution/workaround on this yet?

ankursharma180 commented 6 months ago

Hi @vajain-1982 I did something and it worked for me, may be, it can help: (1) I am using Jenkins, so I updated build and added dependencyTrackPublisher stage (2) Change the values in bold below, you'll need API_KEY, so configure that. (3) facing issue in fetching artifactVersion so took it from gradle.properties image (4) change bold highlighted fields as per your project in dependencyTrackPublisher stage. (5) group: 'ABC' is not the groupId, but the container parent project, for my other maven projects, this was same.

stages { stage('Build') { steps { withGradle { sh './gradlew clean build jar test cyclonedxBom' } } stage('dependencyTrackPublisher') { steps { script { artifactId = "xyz" artifactVersion = sh(returnStdout: true, script: "cat gradle.properties | grep -nw 'version ='").trim().split(/=/)[1] groupId = "com.ankursharma.xyz" } withCredentials([string(credentialsId: 'DependencyTrack-API', variable: 'API_KEY')]) { dependencyTrackPublisher artifact: 'build/reports/bom.xml', projectName: """$artifactId""", projectVersion: """$groupId/$artifactVersion""", synchronous: true, dependencyTrackApiKey: API_KEY, projectProperties: [tags: ['trunk','xyz'], swidTagId: """$artifactId""", group: 'ABC'] } } } }

In build.gradle: set below things:

plugins { id 'org.cyclonedx.bom' version '1.6.1' }

allprojects { repositories { maven { url xxxxxxxxxxxx } } apply plugin: 'org.cyclonedx.bom' }