cyclonedx-gradle-plugin icon indicating copy to clipboard operation
cyclonedx-gradle-plugin copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Improve output directory of cyclonedxBom task

Open LarsKaulen opened this issue 2 years ago • 1 comments

Hello,

I think the default value of the destination property in CycloneDxTask should be changed. The problem is, that many plugins and tasks (including gradle core tasks) use subdirectories of the ${buildDir}/reports folder for their output.

If one runs the cyclonedxBom task and any other task, which outputs a file into a subdirectory of ${buildDir}/reports (as done e.g. by the Dependency Analysis Plugin) at the same time, you get the following exception (with gradle 8, with gradle 7 it is only a warning):

./gradlew buildHealth cyclonedxBom

- Gradle detected a problem with the following location: '<path-to-root-project>/build/reports/dependency-analysis/build-health-report.txt'.
    
    Reason: Task ':buildHealth' uses this output of task ':cyclonedxBom' without declaring an explicit or implicit dependency. This can lead to incorrect results being produced, depending on what order the tasks are executed.
    
    Possible solutions:
      1. Declare task ':cyclonedxBom' as an input of ':buildHealth'.
      2. Declare an explicit dependency on ':cyclonedxBom' from ':buildHealth' using Task#dependsOn.
      3. Declare an explicit dependency on ':cyclonedxBom' from ':buildHealth' using Task#mustRunAfter.
    
    Please refer to https://docs.gradle.org/8.0/userguide/validation_problems.html#implicit_dependency for more details about this problem.

When I configure this plugin as follows, the error is gone:

tasks.named("cyclonedxBom") {
    destination = file("${buildDir}/reports/cyclonedx")
}

I think something like above might be a better convention value. Or alternatively, the @OutputDirectory annotation could be removed at getDestination and instead two new getters (one for bom.xml and one for bom.json) with @OutputFile annotation could be added.

Any thoughts about this? Also see this discussion on Slack.

LarsKaulen avatar Feb 17 '23 06:02 LarsKaulen

Second that. Took me quite a while to find the generated files (my IDE skips the build folder when searching).

So, for future generations: ./build/reports/bom.json

crusy avatar Mar 20 '23 13:03 crusy