Order components and dependencies by purl and ref to have reproducible output #457
Conversation
|
You can just use TreeSet instead of HashSet https://docs.oracle.com/javase/8/docs/api/java/util/TreeSet.html |
emirmx
force-pushed
the
order-components-dependencies-in-the-output
branch
from
fbdb878
to
f15d4d5
Compare
Thanks, way better. Changed. |
|
Hi. Is there a time-frame for PR's to be reviewed/merged? Also, for the releases? |
There was a problem hiding this comment.
I think this https://github.com/CycloneDX/cyclonedx-gradle-plugin/blob/master/src/main/java/org/cyclonedx/gradle/CycloneDxTask.java#L398 can be removed now
Sorry, could not tie your comment to the changes in the PR. Can you elaborate? |
…e output. Signed-off-by: Emir Uner <emir.uner@mendix.com>
Signed-off-by: Emir Uner <emir.uner@mendix.com>
Signed-off-by: Emir Uner <emir.uner@mendix.com>
emirmx
force-pushed
the
order-components-dependencies-in-the-output
branch
from
46dabde
to
45fa062
Compare
Though I still do not see the connection, I simplified the code in createBom a bit more within two additional commits. |
There was a problem hiding this comment.
Sorry, the code moved a little bit. I meant this https://github.com/CycloneDX/cyclonedx-gradle-plugin/pull/457/files#diff-7d5ff0e9f240ba234a7a8e596f574d6fe41631e6fb16f8a1d2a252a6ae5ac72fL413 which is removed now. Thank you!
As the components and dependencies are stored in
HashSetandHashMap, when converted to lists, the order is not well defined and seems to change from time to time, especially when run on different computers.In this PR, components and dependencies are sorted before the BOM is written to have the same order, given same dependencies.
This should fix part of this issue: #292