Failing to retrieve licenses

[ollieSayer]

Hi,

I've been testing this plugin on a few different Gradle projects that I have locally and it seems the plugin fails to find license information for a large amount of the dependencies of each project. I have looked up a few of the components and can see the license information is on Maven (where the purl says it's from) but in the generated bom the license information is empty i.e. "licenses" : [ ],

An example would be com.google.guava/guava@28.1-jre which has its license information on mvn (https://mvnrepository.com/artifact/com.google.guava/guava/28.1-jre) but the plugin doesn't detect this.

To run the plugin I add the plugin block to the projects build.gradle and then run "./gradlew cyclonedxBom", not sure if I'm missing a vital step!

[ollieSayer]

Hi,

Would I be right in thinking this plugin makes use of MVN repo's API to search for dependency information? As comparing the API's JSON response for a dependency that the CycloneDX Gradle plugin can get license information for and one that it can't I can see that license info isn't returned all the time I.e.

org.skyscreamer:jsonassert:1.5.0 https://search.maven.org/artifact/org.skyscreamer/jsonassert/1.5.0/jar - this has license information in its JSON return and the CycloneDX plugin populates the license information in the SBOM

com.google.guava:guava:28.2-jre https://search.maven.org/artifact/com.google.guava/guava/28.2-jre/bundle - this doesn't have license information in its JSON return and the CycloneDX plugin doesn't populate the license information in the SBOM

[stevespringett]

The plugin use the Maven API, it does not use the Maven Central REST API. Therefore it only looks at pom.xml and walks up to parent poms is resolved. This is similar to how the Maven plugin operates.