We noticed that when we have a "non-jar" artifact as one of the dependencies in our Gradle project, CycloneDX plugin doesn't generate the right information in the dependencies field in the sbom file.
For example, in the below build.gradle file,
plugins {
id 'org.cyclonedx.bom' version '1.7.4'
}
group = 'com.example'
version = '1.0.0'
cyclonedxBom {
includeConfigs = ["implementation"]
destination = file("reports")
outputFormat = "json"
}
configurations { implementation }
repositories { mavenCentral() }
dependencies {
//implementation 'org.hibernate:hibernate-core:6.3.1.Final' (This doesn't generate the dependencies tree)
implementation 'org.hibernate.orm:hibernate-core:6.3.1.Final' (This does create the dependencies tree)
}
Also, we noticed that in the CycloneDxTask.java file in the codebase, we have this function
Is this intentional ? Can we improve on this in anyway to also provide information on non-jar artifacts, like provide a warning message to users to state that this artifact is/was skipped for x..y..z reasons. ?
Hello Team,
We noticed that when we have a "non-jar" artifact as one of the dependencies in our Gradle project, CycloneDX plugin doesn't generate the right information in the
dependencies
field in the sbom file.For example, in the below
build.gradle
file,Also, we noticed that in the
CycloneDxTask.java
file in the codebase, we have this functionThis code ignores all non
jar
andaar
artifacts.Is this intentional ? Can we improve on this in anyway to also provide information on non-jar artifacts, like provide a warning message to users to state that this artifact is/was skipped for
x..y..z
reasons. ?TIA