I'm trying to create a BOM file for the Android portion of a Flutter project for security scanning.
I added org.cyclonedx.bom (a gradle plugin) to gradle and I'm running the cyclonedxBom gradle task, but I'm getting an error:
> Could not resolve all dependencies for configuration ':app:apiDependenciesMetadata'.
> Could not resolve project :flutter_udid.
Required by:
project :app
> The consumer was configured to find a usage of 'kotlin-metadata'Execution failed for task ':app:cyclonedxBom'. of a library, as well as attribute 'org.jetbrains.kotlin.platform.type' with value 'common'. However we cannot choose between the following variants of project :flutter_udid:
- debugApiElements
- profileApiElements
- releaseApiElements
All of them match the consumer attributes:
- Variant 'debugApiElements' capability de.gigadroid.flutterudid:flutter_udid:1.0-SNAPSHOT declares an API of a library, as well as attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
- Unmatched attributes:
- Provides attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'debug' but the consumer didn't ask for it
- Provides attribute 'com.android.build.api.attributes.VariantAttr' with value 'debug' but the consumer didn't ask for it
- Provides attribute 'org.gradle.jvm.environment' with value 'android' but the consumer didn't ask for it
- Variant 'profileApiElements' capability de.gigadroid.flutterudid:flutter_udid:1.0-SNAPSHOT declares an API of a library, as well as attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
- Unmatched attributes:
- Provides attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'profile' but the consumer didn't ask for it
- Provides attribute 'com.android.build.api.attributes.VariantAttr' with value 'profile' but the consumer didn't ask for it
- Provides attribute 'org.gradle.jvm.environment' with value 'android' but the consumer didn't ask for it
- Variant 'releaseApiElements' capability de.gigadroid.flutterudid:flutter_udid:1.0-SNAPSHOT declares an API of a library, as well as attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
- Unmatched attributes:
- Provides attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'release' but the consumer didn't ask for it
- Provides attribute 'com.android.build.api.attributes.VariantAttr' with value 'release' but the consumer didn't ask for it
- Provides attribute 'org.gradle.jvm.environment' with value 'android' but the consumer didn't ask for it
Dependencies in gradle look like
dependencies {
classpath 'com.android.tools.build:gradle:4.2.0'
classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version"
// Firebase
classpath 'com.google.gms:google-services:4.3.15'
classpath 'org.cyclonedx.bom:org.cyclonedx.bom.gradle.plugin:1.7.4'
}
apply plugin: 'com.android.application'
apply plugin: 'kotlin-android'
// Firebase
apply plugin: 'com.google.gms.google-services'
// BOM generation https://github.com/CycloneDX/cyclonedx-gradle-plugin
apply plugin: 'org.cyclonedx.bom'
apply from: "$flutterRoot/packages/flutter_tools/gradle/flutter.gradle"
How can I configure the project to generate me a BOM for release version?
replace 'releaseBomMetadata' with the desired name for the configuration if you prefer a different name.
After making these changes, try running the cyclonedxBom Gradle task again, and it should generate a BOM for the release version without the previous error.