You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have successfully created SBOMs from several in-house projects (can't share the source, sorry) using versions 1.7.3 and 1.7.4 of the org.cyclonedx.bom plugin. However, in one project the tools section of the SBOM contains a single entry with no properties, like this.
I don't understand the spec well enough to know if this is invalid, strictly speaking, but it's clearly not what's intended. In particular it causes https://github.com/CycloneDX/sbom-comparator to fail to compare the files, unless I manually fix or remove the incorrect entry.
Through debugging the Gradle build process, I believe the problem is that the problem project also uses com.netflix.nebula:gradle-info-plugin:9.2.0 and org.ajoberstar.grgit:grgit-gradle:4.1.0, which indirectly pulls in JAR org.eclipse.jgit:org.eclipse.jgit:6.7.0.202309050840-r. That JAR also contains a file plugin.properties at the top level of its resources folder, which of course has a completely different set of properties.
Which plugin.properties is found first on the classpath appears to depend (in my case) on the hash which Gradle computes for the JAR because that's the leftmost difference in the paths to the JARs.
I think the solution to this is that the CycloneDX plugin should move its plugin.properties to a namespaced sub-folder within the JAR, e.g., resources/org/cyclonedx/gradle/plugin.properties (or maybe a further sub-level if you have other plugins/JARs under the org.cyclonedx.gradle namespace which might have a plugin.properties.
Ideally also the JGit JAR would not list resources at the top level, but that's not something the maintainers of this plugin can fix.
The text was updated successfully, but these errors were encountered:
I have successfully created SBOMs from several in-house projects (can't share the source, sorry) using versions 1.7.3 and 1.7.4 of the
org.cyclonedx.bom
plugin. However, in one project thetools
section of the SBOM contains a single entry with no properties, like this.whereas in other projects it looks like this
I don't understand the spec well enough to know if this is invalid, strictly speaking, but it's clearly not what's intended. In particular it causes https://github.com/CycloneDX/sbom-comparator to fail to compare the files, unless I manually fix or remove the incorrect entry.
Through debugging the Gradle build process, I believe the problem is that the problem project also uses
com.netflix.nebula:gradle-info-plugin:9.2.0
andorg.ajoberstar.grgit:grgit-gradle:4.1.0
, which indirectly pulls in JARorg.eclipse.jgit:org.eclipse.jgit:6.7.0.202309050840-r
. That JAR also contains a fileplugin.properties
at the top level of itsresources
folder, which of course has a completely different set of properties.Which
plugin.properties
is found first on the classpath appears to depend (in my case) on the hash which Gradle computes for the JAR because that's the leftmost difference in the paths to the JARs.I think the solution to this is that the CycloneDX plugin should move its
plugin.properties
to a namespaced sub-folder within the JAR, e.g.,resources/org/cyclonedx/gradle/plugin.properties
(or maybe a further sub-level if you have other plugins/JARs under theorg.cyclonedx.gradle
namespace which might have aplugin.properties
.Ideally also the JGit JAR would not list resources at the top level, but that's not something the maintainers of this plugin can fix.
The text was updated successfully, but these errors were encountered: