Dear community,
We are currently in a situation where we need to integrate an old Gradle project with Dependency Track.
We utilize the following plugin: org.cyclonedx.bom which we then invoke via a gradle wrapper: gradlew cyclonedxBom in order to generate a bom.xml file that will be uploaded on Dependency Track.
This process has worked without issues for several other Gradle projects, but when followed here, it always generates an empty bom.xml file.
I am not sure if the project structure is the issue here, as the project also has several other subprojects.
The “parent” project has a parent_project.gradle file, while the subprojects have their own .gradle files as well. So, our current setup is as follows:
-
Configuration inside
parent_project.gradle:... plugins { id "org.cyclonedx.bom" version "1.1.4" } apply plugin: 'org.cyclonedx.bom' ... -
Configuration inside
subproject_a.gradle,subproject_b.gradle,subproject_c.gradle:... apply plugin: 'org.cyclonedx.bom' ...
When the plugin is invoked, we get the following result, but all the generated boms are empty.:
:cyclonedxBom
:subproject_a:cyclonedxBom
:subproject_b:cyclonedxBom
:subproject_c:cyclonedxBom
We also tried to manually specify the paths for the cyclonedx plugin, but instead of the actual dependencies, it lists the subprojects inside the bom.xml file.
cyclonedxBom {
includeConfigs = ["${rootDir}/parent_project/subproject_a/build/classes"]
destination = file("build/reports")
outputName = "bom"
outputFormat = "xml"
}
Finally, we have also used newer versions of the plugin without any luck.
Any help/guidance to the right direction would be much appreciated.
Thank you in advance