jk1
Implementation of configuration property `excludeBoms` is fragile
After troubleshooting the plugin behavior with excludeBoms set to true and several BOMs still being present in the report, I've noticed that the logic that determines whether current module is a BOM actually looks only at the module name:
https://github.com/jk1/Gradle-License-Report/blob/877442e3897bd6f5588e013435f1f4d6f75059b0/src/main/groovy/com/github/jk1/license/LicenseReportExtension.groovy#L98
This is very fragile and IMO not at all expected with the property being described as If set to true, then all boms will be excluded from the report in the readme.
BOMs that are not named as expected by the plugin are quite common, and the issue can be easily reproduced using something like this:
import org.springframework.boot.gradle.plugin.SpringBootPlugin
plugins {
id("java")
id("org.springframework.boot").version("3.0.2")
id("com.github.jk1.dependency-license-report").version("2.1")
}
java {
toolchain {
languageVersion = JavaLanguageVersion.of(17)
}
}
repositories {
mavenCentral()
}
dependencies {
implementation(enforcedPlatform(SpringBootPlugin.BOM_COORDINATES))
}
licenseReport {
excludeBoms = true
}
Running generateLicenseReport will generate a report with org.springframework.boot:spring-boot-dependencies present in the report.
Could you provide a proper implementation of this feature or at the very least clearly describe its limitations?
