cyclonedx-gradle-plugin icon indicating copy to clipboard operation
cyclonedx-gradle-plugin copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Why is cyclonedx-gradle-plugin better than cyclonedx-cli?

Open 2013kaa opened this issue 1 year ago • 4 comments

My developers torment me with the question - why do we use the cyclonedx-gradle-plugin, if there is a cyclonedx-cli.

How is it better and why is it better than cyclonedx-cli?

2013kaa avatar Oct 25 '22 09:10 2013kaa

I think both will end up with the same result, however, having a plugin (gradle or maven), make it simpler to use. You don't need to install anything to get it run. Therefore, it is easy to update and to use in CI environment.

This is just my two cents, maybe @stevespringett has other arguments.

glefloch avatar Oct 25 '22 13:10 glefloch

@glefloch unfortunately not)) it’s just easier than cli, in ci / cd you can just make a separate stage where there will be a ready-made image with cyclonedx-cli. In the case of a plugin, you first determine which collector (gradle, maven, sbt), then add it using the init script, and there must also be an image with the corresponding version of the gradle and java.

2013kaa avatar Oct 25 '22 18:10 2013kaa

CycloneDX-CLI and Cyclone-Gradle-Plugin are two different tools for different purposes: The Gradle plugin is for making BOMs (specifically for Gradle projects) while the CLI tool is for manipulating & analyzing BOMs, it doesn't make them.

There are other CLI tools out there that can produce CycloneDX BOMs like Syft for example, but the ones I've seen are typically a jack-of-all-trades-master-of-none and give inaccurate results. Steve has a write up (or maybe it's a YouTube video?) somewhere that talks about it, but the important difference between those tools and the Maven/Gradle plugin is about how they're sourcing their information.

The native plugins use Gradle/Maven and the build.gradle/pom.xml to know everything they'd ever need about your project, whereas other tools typically rely on scanning docker images, directories, or the compiled JARs after the fact and are missing a lot of information as a result. Things like dependency graphs, accurate GAV co-ords (because missing groupIds), license information, hashes, etc. simply because the data isn't available after you've built your artifact.

ThomGeG avatar Nov 03 '22 04:11 ThomGeG

@ThomGeG thanks for the answer)) What do you think about this idea https://github.com/CycloneDX/cyclonedx-gradle-plugin/issues/253 ?

2013kaa avatar Dec 24 '22 16:12 2013kaa