Updating from 1.6.1 not possible, build fails with 1.7.0 and 1.7.1

[mduft]

As soon as I update our build from 1.6.1 to >=1.7.0, it fails. With 1.6.1:

> Task :cyclonedxBom
Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword

BUILD SUCCESSFUL in 9s

With 1.7.x:

> Task :cyclonedxBom
Unable to resolve POM for org.junit.jupiter:junit-jupiter-params:5.9.0: org.gradle.api.internal.artifacts.ivyservice.DefaultLenientConfiguration$ArtifactResolveException: Could not resolve all files for configuration ':detachedConfiguration33'.

> Task :cyclonedxBom FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':cyclonedxBom'.
> The BOM does not conform to the CycloneDX BOM standard

Our cycloneDx task looks rather simple, actually:

apply plugin: 'org.cyclonedx.bom'

cyclonedxBom {
    includeConfigs = ["runtimeClasspath"]
}

It seems that something in the bom is wrong with newer versions. I tried to validate the bom.xml using cyclonedx-cli, but it only tells me that validation fails, but no details about the problem.

Maybe noteworthy is also that the new version of the plugin seems to at least fail to identify the version number of the project (i.e. instead of the version number it writes unspecified in the BOM, which is definitely wrong.

I attached both the 1.6.1 and 1.7.1 written BOMs to this ticket: boms.zip

Everything except the cycloneDx plugin version is identical.

The current (failing) state of our project for reproduction can be found here in commit b5f37d0f

[glefloch]

Thanks for reporting this @mduft.

Could you try specifying a group and version property in your root build.gradle file ?

[mduft]

version is already present. adding a group fixes the issue, thanks. Although the actual root project is never actually published to maven in any way, so maybe it is not a good idea to include a maven packageUrl for it?