ProjectDependency are missing from the components section of the BOM

[loicrouchon]

Hello,

In #368, I proposed a fix for #321 which was merged and released.

The fix was a generalization of the sub-projects handling to all projects part of the same Gradle build (i.e. dependencies of type ProjectDependency).

This is done by adding such coordinates for those ProjectDependency to the builtDependencies local variable in org.cyclonedx.gradle.CycloneDxTask#createBom. This avoids trying to fetch the BOM for those dependencies remotely as they are local ones.

However, I realized a side effect of doing this was resulting in local project dependencies not being part of the "components" section of the BOM and I don't think this is the intended behavior as it means those would still be expressed in the "dependencies" section, but without a way to check the licenses nor the hashes of such dependencies in the "components" section.

Could you confirm if this is intended behavior? If not I can try to contribute a fix.

[ericparton]

I've noticed this behavior and as a user, I feel that it's a bug. The fact that these dependencies don't appear in the components section causes odd behavior in third party tools that consume the boms

[HoustonPutman]

Yes, I've seen this too and also think it's a bug.

[loicrouchon]

Just a heads-up that I finally have some time to invest into fixing this issue. I made good progress today and I now need to write extensive tests for the prototype. I'll open a PR (hopefully next week) when done with the tests.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.