My problem is the following... I'm trying to use the gradle plugin here https://github.com/CycloneDX/cyclonedx-gradle-plugin for generating a bom in the cyclonedx format. I will need it for pushing it into dependency track and analyze my dependencies. However i'm stuck because, with the command ./gradlew app:cyclonedxBom, I obtain my bom.xml file, but this one does not present infos about the dependencies in my project.
I'm working on an android project in android studio with the following build.gradle:
plugins {
id 'com.android.application'
id 'org.cyclonedx.bom' version '1.6.1'
}
cyclonedxBom {
includeConfigs += ["compileClasspath"]
}
android {
namespace 'com.example.demo_android_app'
compileSdk 33
defaultConfig {
applicationId "com.example.demo_android_app"
minSdk 24
targetSdk 33
versionCode 1
versionName "1.0"
testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
}
buildTypes {
release {
minifyEnabled false
proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
}
}
compileOptions {
sourceCompatibility JavaVersion.VERSION_11
targetCompatibility JavaVersion.VERSION_11
}
buildFeatures {
viewBinding true
}
}
dependencies {
implementation 'androidx.appcompat:appcompat:1.4.1'
implementation 'com.google.android.material:material:1.5.0'
implementation 'androidx.constraintlayout:constraintlayout:2.1.3'
implementation 'androidx.navigation:navigation-fragment:2.5.2'
implementation 'androidx.navigation:navigation-ui:2.5.2'
implementation 'org.arakhne.afc.core:maths:17.0'
testImplementation 'junit:junit:4.13.2'
androidTestImplementation 'androidx.test.ext:junit:1.1.3'
androidTestImplementation 'androidx.test.espresso:espresso-core:3.4.0'
}
and I obtain the following bom ...
<?xml version="1.0" encoding="UTF-8"?>
<bom serialNumber="urn:uuid:9032eac7-fbf1-44cf-95fe-4f41f0da7f96" version="1" xmlns="http://cyclonedx.org/schema/bom/1.4">
<metadata>
<timestamp>2023-05-24T14:21:16Z</timestamp>
<tools>
<tool>
<vendor>CycloneDX</vendor>
<name>cyclonedx-gradle-plugin</name>
<version>1.6.1</version>
</tool>
</tools>
<component type="library" bom-ref="pkg:maven/demo-android-app/app@unspecified">
<group>demo-android-app</group>
<name>app</name>
<version>unspecified</version>
<purl>pkg:maven/demo-android-app/app@unspecified</purl>
</component>
</metadata>
</bom>
As you can see, there aren't informations about the dependencies.
I ve tried also to change my configs for the plugin as the README in the repo of the plugin says, but I have not found solutions anyway.
cyclonedxBom {
// includeConfigs is the list of configuration names to include when generating the BOM (leave empty to include every configuration)
includeConfigs = ["runtimeClasspath"]
// skipConfigs is a list of configuration names to exclude when generating the BOM
skipConfigs = ["compileClasspath", "testCompileClasspath"]
// skipProjects is a list of project names to exclude when generating the BOM
skipProjects = [rootProject.name, "yourTestSubProject"]
// Specified the type of project being built. Defaults to 'library'
projectType = "application"
// Specified the version of the CycloneDX specification to use. Defaults to '1.4'
schemaVersion = "1.4"
// Boms destination directory. Defaults to 'build/reports'
destination = file("build/reports")
// The file name for the generated BOMs (before the file format suffix). Defaults to 'bom'
outputName = "bom"
// The file format generated, can be xml, json or all for generating both. Defaults to 'all'
outputFormat = "json"
// Exclude BOM Serial Number. Defaults to 'true'
includeBomSerialNumber = false
// Exclude License Text. Defaults to 'true'
includeLicenseText = false
// Override component version. Defaults to the project version
componentVersion = "2.0.0"
}
I hope someone can help me.