One SBOM file for all dependencies in a multi-module Android project

[mindhacker42]

Is it possible to generate with this plugin one big SBOM file that would include all dependencies from a multi-module project?

We have a common setup where there is app module which includes other modules via implementation project('module1'). In the generated SBOM file there the dependencies listed are only for non-project dependencies, i.e. implementation 'com.squareup.retrofit2:retrofit:2.9.0', but not for project dependencies.
Because of that we don't get all dependencies listed for app module and would need to resort to somehow gather all SBOMs per module and merge them together.

[ronanbrowne]

@mindhacker42, did you find any solution to this we see the same on large multi-module builds, I want one SBOM not dozens

[mandrachek]

I'm having problems getting it to work at all... but theoretically, if you apply the plugin only in your :app module, it should find all the dependencies from your child modules (since the app module depends on them). This is how the owasp dependency checker works anyway - you don't need it on each feature/library module.

[ankursharma180]

In maven project, we can achieve that using below plugin, the aggregated bom.xml for all projects, isn't there a similar kind of plugin for gradle ? anything which can help generating aggregated bom ?

<plugin>
    <groupId>org.cyclonedx</groupId>
    <artifactId>cyclonedx-maven-plugin</artifactId>
    <version>2.7.11</version>
    <executions>
        <execution>
            <goals>
                <goal>makeAggregateBom</goal>
            </goals>
        </execution>
    </executions>
</plugin>

[vajain-1982]

Any solution/workaround on this yet?

[ankursharma180]

Hi @vajain-1982
I did something and it worked for me, may be, it can help:
(1) I am using Jenkins, so I updated build and added dependencyTrackPublisher stage
(2) Change the values in bold below, you'll need API_KEY, so configure that.
(3) facing issue in fetching artifactVersion so took it from gradle.properties

(4) change bold highlighted fields as per your project in dependencyTrackPublisher stage.
(5) group: 'ABC' is not the groupId, but the container parent project, for my other maven projects, this was same.

stages {
stage('Build') {
steps {
withGradle {
sh './gradlew clean build jar test cyclonedxBom'
}
}
stage('dependencyTrackPublisher') {
steps {
script {
artifactId = "xyz"
artifactVersion = sh(returnStdout: true, script: "cat gradle.properties | grep -nw 'version ='").trim().split(/=/)[1]
groupId = "com.ankursharma.xyz"
}
withCredentials([string(credentialsId: 'DependencyTrack-API', variable: 'API_KEY')]) {
dependencyTrackPublisher artifact: 'build/reports/bom.xml', projectName: """$artifactId""", projectVersion: """$groupId/$artifactVersion""", synchronous: true, dependencyTrackApiKey: API_KEY, projectProperties: [tags: ['trunk','xyz'], swidTagId: """$artifactId""", group: 'ABC']
}
}
}
}

In build.gradle:
set below things:

plugins {
id 'org.cyclonedx.bom' version '1.6.1'
}

allprojects {
repositories {
maven {
url xxxxxxxxxxxx
}
}
apply plugin: 'org.cyclonedx.bom'
}