jfrog
Dependencies is 'runtimeOnly' configuration not listed in build-info
Describe the bug
When publishing a build containing the ‘runtimeOnly’ dependency configuration in the ‘build.gradle’ file, the dependency is not reflected in the build-info. Without listing these dependencies in the build info, we're missing the concept of SBOM (Software Bill of Materials), which is a comprehensive inventory of all third-party components within a codebase. The SBOM is a concept that provides a detailed inventory of all third-party components in a codebase. By tracking and managing dependencies, it ensures compliance, and addresses security vulnerabilities. By not including ‘runtimeOnly’ dependencies in the build-info, we miss out on documenting these components, which compromises the integrity of SBOM and limits the ability to fully understand and manage the software's external dependencies.
To Reproduce
- Include a dependency with 'runtimeOnly' dependency configuration in the build.gradle file.
- Build the project.
- Publish to Artifactory using the command ./gradlew artifactoryPublish
- See the build-info missing the dependency specified in the 'runtimeOnly' configuration.
Expected behavior
The expected behavior is to that the build-info should list the dependencies specified in the 'runtimeOnly' configuration.
Screenshots
Versions
- Extractor version: 5
- Operating system: macOS
- Artifactory Version: 7.92.1
Additional context None.
