cyclonedx-gradle-plugin icon indicating copy to clipboard operation
cyclonedx-gradle-plugin copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Android project: The BOM does not conform to the CycloneDX BOM standard

Open slowcar opened this issue 1 year ago • 4 comments

We have an android application with a top-level build.gradle and an app module, as android studio creates as a default. In the top-level build.gradle i have added the classpath as a dependency and also this block:

apply plugin: "org.cyclonedx.bom" version = "1.9.9.0"

cyclonedxBom { // skipConfigs is a list of configuration names to exclude when generating the BOM, regex is supported skipConfigs = ["debugCompileClasspath", "debugAndroidTestCompileClasspath", "debugUnitTestCompileClasspath", "releaseUnitTestCompileClasspath", "debugUnitTestRuntimeClasspath", "releaseUnitTestRuntimeClasspath"] projectType = "application" outputFormat = "json" }

I can run this successfully with the plugin version 1.6.1, but all later versions fail, including 1.8.2

When executing ./gradlew cyclonedxBom from terminal (windows powershell) the plugin runs for 3s and fails with an exception:

Execution failed for task ':cyclonedxBom'. The BOM does not conform to the CycloneDX BOM standard

The generated bom.json looks correct and can be uploaded to dependency track. If i do not set the outputFormat to json specifically only an xml file is generated, also when i set it to 'all'. If i do not set the projectType to application the output is 'library', and i have to specify the version despite that being set as versionName in the application build.gradle If i do not specify the skipConfigs value the build fails with different unmatched attributes errors.

As the build fails, but generates the file correctly anyway (with my changed configuration) i can integrate it into our build pipeline by using ruby error handling, but decided to create an issue anyway as the build should not fail.

slowcar avatar Jan 29 '24 10:01 slowcar

Same...

megboyzz avatar Feb 02 '24 14:02 megboyzz

Same issue.

I see in the stacktrace : "Caused by: org.cyclonedx.exception.ParseException: $.dependencies[0].ref: null ...." In the file generated, I indeed have :

"dependencies" : [
    {
      "ref" : null,

I think it is related to the root project. I have tried to skip it from teh configuration : no success.

ecabestan avatar Mar 14 '24 12:03 ecabestan

Same issue.

The snippet of bom.json is as below.

"dependencies" : [
    {
      "ref" : null,
      "dependsOn" : [

And the error output is as below.

Execution failed for task ':cyclonedxBom'.
> The BOM does not conform to the CycloneDX BOM standard

$.dependencies[0].ref: null found, string expected

prncoprs avatar Mar 15 '24 15:03 prncoprs

I solved this issue on my computer. We have to specify the groupid and version in the Android project. We should add the following statements in the build.gradle.kts file.

group = "com.yourgroup"
version = "1.0.0"

prncoprs avatar Mar 17 '24 17:03 prncoprs