-
-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ProjectDependency are missing from the components section of the BOM #432
Comments
I've noticed this behavior and as a user, I feel that it's a bug. The fact that these dependencies don't appear in the components section causes odd behavior in third party tools that consume the boms |
Yes, I've seen this too and also think it's a bug. |
Just a heads-up that I finally have some time to invest into fixing this issue. I made good progress today and I now need to write extensive tests for the prototype. I'll open a PR (hopefully next week) when done with the tests. |
… of the build (fix CycloneDX#432)
… of the build (fix CycloneDX#432) Signed-off-by: Loic Rouchon <loic@loicrouchon.com>
Signed-off-by: Loic Rouchon <loic@loicrouchon.com>
Signed-off-by: Loic Rouchon <loic@loicrouchon.com>
…encies-as-components-432 Include local project dependencies as components #432
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Hello,
In #368, I proposed a fix for #321 which was merged and released.
The fix was a generalization of the sub-projects handling to all projects part of the same Gradle build (i.e. dependencies of type
ProjectDependency
).This is done by adding such coordinates for those
ProjectDependency
to thebuiltDependencies
local variable inorg.cyclonedx.gradle.CycloneDxTask#createBom
. This avoids trying to fetch the BOM for those dependencies remotely as they are local ones.However, I realized a side effect of doing this was resulting in local project dependencies not being part of the
"components"
section of the BOM and I don't think this is the intended behavior as it means those would still be expressed in the"dependencies"
section, but without a way to check the licenses nor the hashes of such dependencies in the"components"
section.Could you confirm if this is intended behavior? If not I can try to contribute a fix.
The text was updated successfully, but these errors were encountered: