-
-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Order components and dependencies by purl and ref to have reproducible output #457
Order components and dependencies by purl and ref to have reproducible output #457
Conversation
You can just use TreeSet instead of HashSet https://docs.oracle.com/javase/8/docs/api/java/util/TreeSet.html |
fbdb878
to
f15d4d5
Compare
Thanks, way better. Changed. |
Hi. Is there a time-frame for PR's to be reviewed/merged? Also, for the releases? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this https://github.com/CycloneDX/cyclonedx-gradle-plugin/blob/master/src/main/java/org/cyclonedx/gradle/CycloneDxTask.java#L398 can be removed now
Sorry, could not tie your comment to the changes in the PR. Can you elaborate? |
…e output. Signed-off-by: Emir Uner <emir.uner@mendix.com>
Signed-off-by: Emir Uner <emir.uner@mendix.com>
Signed-off-by: Emir Uner <emir.uner@mendix.com>
46dabde
to
45fa062
Compare
Though I still do not see the connection, I simplified the code in createBom a bit more within two additional commits. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, the code moved a little bit. I meant this https://github.com/CycloneDX/cyclonedx-gradle-plugin/pull/457/files#diff-7d5ff0e9f240ba234a7a8e596f574d6fe41631e6fb16f8a1d2a252a6ae5ac72fL413 which is removed now. Thank you!
As the components and dependencies are stored in
HashSet
andHashMap
, when converted to lists, the order is not well defined and seems to change from time to time, especially when run on different computers.In this PR, components and dependencies are sorted before the BOM is written to have the same order, given same dependencies.
This should fix part of this issue: #292