Dependencies field is incomplete for POM artifacts in sbom file

[akkrishnakumar]

Hello Team,

We noticed that when we have a "non-jar" artifact as one of the dependencies in our Gradle project, CycloneDX plugin doesn't generate the right information in the dependencies field in the sbom file.

For example, in the below build.gradle file,

plugins {
    id 'org.cyclonedx.bom' version '1.7.4'
}

group = 'com.example'
version = '1.0.0'

cyclonedxBom {
  includeConfigs = ["implementation"]
  destination = file("reports")
  outputFormat = "json"
}

configurations { implementation }

repositories { mavenCentral() }

dependencies {
  //implementation 'org.hibernate:hibernate-core:6.3.1.Final' (This doesn't generate the dependencies tree)
  implementation 'org.hibernate.orm:hibernate-core:6.3.1.Final' (This does create the dependencies tree)
}

Also, we noticed that in the CycloneDxTask.java file in the codebase, we have this function

private ResolvedArtifact getJarArtifact(ResolvedDependency dependency) {
    for(ResolvedArtifact artifact : dependency.getModuleArtifacts()) {
        if (Objects.equals(artifact.getType(), "jar") || Objects.equals(artifact.getType(), "aar"))  {
            return artifact;
        }
    }
    return null;
}

This code ignores all non jar and aar artifacts.

Is this intentional ? Can we improve on this in anyway to also provide information on non-jar artifacts, like provide a warning message to users to state that this artifact is/was skipped for x..y..z reasons. ?

TIA

[atennapel]

@glefloch When is a release planned that contains this fix?

[glefloch]

I need to do some update to match the latest SBOM spec. I should be able to release a new version this week