Closed enaess closed 7 months ago
I've added a project one can use to start troubleshooting this issue. It's available here:
You will need to add an appropriate artifactory url (other than artifactory.local), and then configure relevant local / remote repositories for the build to finally succeed. It should not need to pull down any other dependencies except for the "com.jfrog.artifactory" plugin.
Once you have that going, you publish a build to your artifactory instance by
./gradlew -PArtifactoryUsername="your-user-name-here" -PArtifactoryPassword="your token here"
artifactoryPublish
This will successfully upload the library and application components. However, the type for the modules needs to be changed to "cpp" for both module and relevant dependencies. First then, the X-Ray SBOM will discover the components produced and list them on that page and also perform relevant security scans on the component w/dependencies.
We wish the "com.jfrog.artifactory" plugin to generate the appropriate build-info file, and apply the module/dependency's type
field to cpp
.
Hey @enaess,
Appreciate your help in sorting this out. We made a pull request at https://github.com/jfrog/artifactory-gradle-plugin/pull/95 to tackle it. The idea is to set the module type as cpp
if either the cpp-application
or cpp-library
plugins are applied in the project. If you come across any situations where this solution doesn't quite cover it, please let us know.
Will need to give it a spin after the holiday break.
@enaess Gradle Artifactory plugin 5.2.0 has been released. In this version, you can set the module type manually:
artifactory {
publish {
defaults {
moduleType = 'CPP'
}
}
}
And within the project scope:
artifactoryPublish {
moduleType = 'CPP'
}
We'd appreciate your feedback on that.
Describe the bug
Create a new Gradle project with a few sub-projects
1) Project A applies the "cpp-library" plugin 2) Project B applies the "cpp-application" plugin, adds a dependency on project B
Add a few stub C++ code snippets, e.g. main() { cout << hello world << endl; } and call a function in the dependent library.
Apply the "com.jfrog.artifactory" plugin, add boiler plate artifactory publish configuration in root projects build.gradle and apply the artifactory plugin and "maven-publish" plugin in each sub-project. Run the ./gradlew artifactoryPublish task and confirm that you are able to publish the native artifacts to your artifactory server.
Enable publishing of build info:
Current behavior
Open up the build/build-info.json file, none of the dependencies you've added is specifying the type="cpp" for native builds. Even the gradle project may need to be of type "cpp".
By the way, build/build-info.json should be in the root project's target directory not in static "build/build-info.json". That in itself is also a bug
Reproduction steps
I could write you a gist to demonstrate that, but am out of time .
Expected behavior
When you publish the build-info to the artifactory server, the documentation says to search and replace both module's type="cpp" and dependency type="cpp" in order for X-Ray to detect the presence of native dependencies and to flag these as such.
Artifactory Gradle plugin version
5.1.10
Operating system type and version
Ubuntu 22.04
JFrog Artifactory version
7.41.14
Gradle version
7.6.2