CycloneDX · prabhu · Jan 17, 2025 · Jan 15, 2025 · Jan 16, 2025 · Jan 16, 2025
@@ -503,8 +503,9 @@ jobs:
       - name: repotests expo
         run: |
           cd repotests/expo-test && npm ci && cd ../..
-          GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root                               bin/cdxgen.js -p -t gradle repotests/expo-test -o bomresults/bom-expo.json
-          GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root GRADLE_RESOLVE_FROM_NODE=true bin/cdxgen.js -p -t gradle repotests/expo-test -o bomresults/bom-expo-npm.json
+          GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root                               bin/cdxgen.js -p -t gradle        repotests/expo-test -o bomresults/bom-expo.json
+          GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root GRADLE_RESOLVE_FROM_NODE=true bin/cdxgen.js -p -t gradle        repotests/expo-test -o bomresults/bom-expo-npm.json
+          GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root GRADLE_RESOLVE_FROM_NODE=true bin/cdxgen.js -p -t gradle -t npm repotests/expo-test -o bomresults/bom-expo-multi.json
         shell: bash
       - name: repotests elasticsearch
         run: |

@@ -28,6 +28,7 @@ The following environment variables are available to configure the bom generatio
 | GRADLE_RESOLVE_FROM_NODE                    | If some of your gradle modules are included from node (eg when using expo or react-native), set this to true to use the npm-packages as your dependencies. The big advantage of this, is that the generated purls will be of actually known components (eg in OSS Index) instead of generic names for the packages.                 |
 | GRADLE_SKIP_MODULE_DEPENDENCIES             | Comma-separated list of modules to skip during the "dependencies" task. This can be useful if you have modules that would fail the gradle build, eg when they do not have dependencies in the given configuration. Use "root" if the top most module should be skipped, use their gradle-name (so WITH leading ":") for all others. |
 | GRADLE_SKIP_MODULES                         | Comma-separated list of modules to skip for both "properties" and "dependencies" task. Use the gradle-name (so WITH leading ":"). NOTICE: when using this, neither the configured ID (group, name & version) nor the dependencies of these modules will be available!                                                               |
+| GRADLE_USER_HOME                            | Specifies the directory for the Gradle user home, which typically contains cache files, build dependencies, and other configuration files used by Gradle.                                                                                                                                                                           |
 | SBT_CACHE_DIR                               | Specify sbt cache directory. Useful for class name resolving                                                                                                                                                                                                                                                                        |
 | FETCH_LICENSE                               | Set this variable to `true` or `1` to fetch license information from the registry. npm and golang                                                                                                                                                                                                                                   |
 | SEARCH_MAVEN_ORG                            | If maven metadata is missing in jar file, a search is performed on search.maven.org. Set to `false` or `0` to disable search. (defaults to `true`)                                                                                                                                                                                  |
@@ -82,8 +83,6 @@ The following environment variables are available to configure the bom generatio
 | PIP_TARGET                                  | Specifies the target directory for pip installations, often used when dependencies are installed into temporary or isolated directories.                                                                                                                                                                                            |
 | NODE_NO_READLINE                            | Set to `1` to disable canonical terminal settings and enable custom readline behavior for Node.js REPL or command-line tools.                                                                                                                                                                                                       |
 | CDXGEN_REPL_HISTORY                         | Specifies the path to save REPL command history. If not set and the default directory does not exist, REPL history will not be saved.                                                                                                                                                                                               |
-| GRADLE_USER_HOME                            | Specifies the directory for the Gradle user home, which typically contains cache files, build dependencies, and other configuration files used by Gradle.                                                                                                                                                                           |
-| GRADLE_ARGS                                 | A space-separated list of additional arguments passed to Gradle commands. Useful for providing custom profiles, configurations, or settings for builds.                                                                                                                                                                             |
 | SDKMAN_VERSION                              | Specifies the version of SDKMAN to use. Useful for managing SDKs and ensuring compatibility with tools and environments.                                                                                                                                                                                                            |
 | NVM_DIR                                     | Defines the directory where Node Version Manager (NVM) is installed. Used to locate and manage Node.js versions in environments where NVM is utilized.                                                                                                                                                                              |
 | RBENV_CMD                                   | rbenv command to use                                                                                                                                                                                                                                                                                                                |

@@ -6554,6 +6554,22 @@ export async function createMultiXBom(pathList, options) {
       parentComponent = parentComponent.components[0];
       delete parentComponent.components;
     }
+    // Add references between the multiple sub-boms
+    let parentDependencies = dependencies.find(
+      (d) => d["ref"] === parentComponent["bom-ref"],
+    );
+    if (!parentDependencies) {
+      parentDependencies = {
+        ref: parentComponent["bom-ref"],
+      };
+      dependencies = mergeDependencies(dependencies, parentDependencies);
+    }
+    if (!parentDependencies["dependsOn"]) {
+      parentDependencies["dependsOn"] = [];
+    }
+    for (const parentSub of parentSubComponents) {
+      parentDependencies["dependsOn"].push(parentSub["bom-ref"]);
+    }
   }
   // some cleanup, but not complete
   for (const path of pathList) {