SBOM outputs leak across tasks when using skipConfigs #782
Description
Bug Description
I've set up my projects to actually produce multiple SBOMs via multiple CyclonedxDirectTask tasks. One such SBOM uses skipConfigs = ["runtimeClasspath"] so it includes all my other dependencies (e.g. test dependencies and plugins) for internal auditability/troubleshooting. Unfortunately after 3.2.0 my projects are now failing with the following:
- Gradle detected a problem with the following location: 'C:\Users\thomgeg\AppData\Local\Temp\simple-project10509956200705016175\build\reports\cyclonedx\application\application-bom.json'.
Reason: Task ':cyclonedxBuildBom' uses this output of task ':cyclonedxDirectBom' without declaring an explicit or implicit dependency. This can lead to incorrect results being produced, depending on what order the tasks are executed.
The problem is that the SBOM produced by cyclonedxDirectBom is being fed into the new cyclonedxBom configuration that 3.0.0 introduced, which itself is something that gets SBOM-ed because I'm using skipConfigs.
I've worked around the issue by simply using skipConfigs = ["runtimeClasspath", "cyclonedxBom"] instead, however it seems more ideal if the plugin was able to filter that configuration out itself?
Self-contained Reproducer Project
I can provide a detailed producer if needed, however it should be a matter of registering your own CyclonedxDirectTask in addition to the existing cyclonedxDirectBom but using skipConfigs = ["runtimeClasspath"] with it.
Expected Behavior
The cyclonedxBom configuration isn't considered when using skipConfigs.
Gradle build scan URL (optional)
No response
OS
No response
Gradle version
No response
CycloneDX Plugin version
No response
Additional Context
No response
Contribution
- I am willing to provide a fix
- I will wait until somebody else fixes it