My project is completely Gradle written on Java (structure is that my root project has multiple sub projects and a few sub projects depend on few other sub projects).
I applied the cyclonedxBom plugin to all the sub projects (included this plugin in the build.gradle of each sub project) like indicated below.
plugin {
id 'org.cyclonedx.bom' version "1.8.2"
}
When I am executing the command ./gradlew cyclonedxBom, I see that the sbom files are generated (both xml and json) for all the sub projects.
However, I see a few errors on the console like below that mentions multiple sub projects.
Unable to resolve POM for com.myproject.sub-project-1:24.1.0-SNAPSHOT
Could not resolve all files for configuration ':sub-project2:detachedConfiguration1'
After searching for a few hints on the web, I came across this git issue https://github.com/CycloneDX/cyclonedx-gradle-plugin/issues/321 which sounds similar to mine. I tried to use the plugin version 1.8.2 as mentioned in the git issue (I was using 1.8.1 earlier), but I still see these errors.
- I am curious to know why and how the gradle plugin is looking for a pom file for a completely gradle project.
- Is there any impact to the sbom generation (whether all the dependencies are included properly in the output file or not)?
P.S: The plugin version 1.6.1 doesn't seem to be throwing any error, but the version 1.8.2 does.
Any pointers here are appreciated.