cyclonedx-gradle-plugin
cyclonedx-gradle-plugin copied to clipboard
Updating from 1.6.1 not possible, build fails with 1.7.0 and 1.7.1
As soon as I update our build from 1.6.1 to >=1.7.0, it fails. With 1.6.1:
> Task :cyclonedxBom
Unknown keyword additionalItems - you should define your own Meta Schema. If the keyword is irrelevant for validation, just use a NonValidationKeyword
BUILD SUCCESSFUL in 9s
With 1.7.x:
> Task :cyclonedxBom
Unable to resolve POM for org.junit.jupiter:junit-jupiter-params:5.9.0: org.gradle.api.internal.artifacts.ivyservice.DefaultLenientConfiguration$ArtifactResolveException: Could not resolve all files for configuration ':detachedConfiguration33'.
> Task :cyclonedxBom FAILED
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':cyclonedxBom'.
> The BOM does not conform to the CycloneDX BOM standard
Our cycloneDx task looks rather simple, actually:
apply plugin: 'org.cyclonedx.bom'
cyclonedxBom {
includeConfigs = ["runtimeClasspath"]
}
It seems that something in the bom is wrong with newer versions. I tried to validate the bom.xml using cyclonedx-cli
, but it only tells me that validation fails, but no details about the problem.
Maybe noteworthy is also that the new version of the plugin seems to at least fail to identify the version number of the project (i.e. instead of the version number it writes unspecified
in the BOM, which is definitely wrong.
I attached both the 1.6.1 and 1.7.1 written BOMs to this ticket: boms.zip
Everything except the cycloneDx plugin version is identical.
The current (failing) state of our project for reproduction can be found here in commit b5f37d0f
Thanks for reporting this @mduft.
Could you try specifying a group
and version
property in your root build.gradle
file ?
version
is already present. adding a group
fixes the issue, thanks. Although the actual root project is never actually published to maven in any way, so maybe it is not a good idea to include a maven packageUrl for it?