License lost when migrating from 1.8 to 1.9 for javax dependencies

[lefevre00]

Hello,

When using v1.8, license was present for my legacy dependency (implementation("javax.annotation:javax.annotation-api:1.3.2")). It was not the case any more in 1.9, no license field present in my BOM for component with "bom-ref" : "pkg:maven/javax.annotation/javax.annotation-api@1.3.2?type=jar"

This may come from transition from javax to jakarta group for new versions. But old versions style exists.

Very easy to reproduce in a dummy project, with build.gradle.kts like this:

plugins {
    id("java")
    id("org.cyclonedx.bom") version "1.9.0"
}

group = "net.example"
version = "1.0-SNAPSHOT"

repositories {
    mavenCentral()
}

dependencies {
    implementation("javax.annotation:javax.annotation-api:1.3.2")
    testImplementation(platform("org.junit:junit-bom:5.10.0"))
    testImplementation("org.junit.jupiter:junit-jupiter")
}

tasks.test {
    useJUnitPlatform()
}

[lefevre00]

License lost for javax.servlet:javax.servlet-api:3.1.0 too.

[skhokhlov]

Since the actual licence resolution is happening in the core library I believe it's a bug there. In this plugin we are just using that implementation.

Packages that you mentioned are using quite custom license: https://repo.maven.apache.org/maven2/javax/servlet/javax.servlet-api/3.1.0/javax.servlet-api-3.1.0.pom

    <licenses>
        <license>
            <name>CDDL + GPLv2 with classpath exception</name>
            <url>https://github.com/javaee/javax.annotation/blob/master/LICENSE</url>
            <distribution>repo</distribution>
            <comments>A business-friendly OSS license</comments>
        </license>
    </licenses>

Which is not present in the license list.

Raised core library issue for this: https://github.com/CycloneDX/cyclonedx-core-java/issues/471