CycloneDX
Discussion: Add machine-readable-context-info to Gradle dependencies (aka WHY) and add it to cyclonedx json/xml report
Is your feature request related to a problem? Please describe.
I am an android software developer and i want to find out why certain dependencies are included.
The grade plugin org.cyclonedx.bom is a good tool to analyse the dependencies but i found now way to document in the sourcecode, why a dependency exists.
Describe the solution you'd like
As a SoftwareArchitect and Scrum-ProductOwner I want to harvest the software libraries that my app uses (aka gradle-dependencies) and WHY these libs where added. So that I can evaluate the risks(Attack surface), costs(in kilobytes) and benefites(Feature that makes it neccessary to add the lib)
Currently in gradle build files (ie build.gradle) it is not common practise to add document context infos about a dependency(why/when). As far as i know there is currently no standard to do this.
The grade plugin org.cyclonedx.bom could become a tool to harvest these additional infos. The generated xml/json data file could then be processed to analyse risks/costs/benefits
Example build.gradle
dependencies {
...
/** Barcode Scanner that allows to scan the member card.
* @see Jiira ticket MyProject-123
* @since [3.1] [2024/08] */
implementation 'com.budiyev.android:code-scanner:2.1.0'
}
My example uses a Javadoc notation to add the context infos (Feature that requires the dependency, when it was added and where i can find more info)
Is there any other grade-ddl element that can be used to host the context info?
What are your thoughts ?
See also
- Add support for properties #706
- Introduce a way to provide project description #472
Describe alternatives you've considered
No response
Additional context
No response
Contribution
- [x] I am willing to provide an implementation
- [x] I will wait until somebody else implements it
