You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've been testing this plugin on a few different Gradle projects that I have locally and it seems the plugin fails to find license information for a large amount of the dependencies of each project. I have looked up a few of the components and can see the license information is on Maven (where the purl says it's from) but in the generated bom the license information is empty i.e. "licenses" : [ ],
Would I be right in thinking this plugin makes use of MVN repo's API to search for dependency information? As comparing the API's JSON response for a dependency that the CycloneDX Gradle plugin can get license information for and one that it can't I can see that license info isn't returned all the time I.e.
The plugin use the Maven API, it does not use the Maven Central REST API. Therefore it only looks at pom.xml and walks up to parent poms is resolved. This is similar to how the Maven plugin operates.
Hi,
I've been testing this plugin on a few different Gradle projects that I have locally and it seems the plugin fails to find license information for a large amount of the dependencies of each project. I have looked up a few of the components and can see the license information is on Maven (where the purl says it's from) but in the generated bom the license information is empty i.e. "licenses" : [ ],
An example would be com.google.guava/guava@28.1-jre which has its license information on mvn (https://mvnrepository.com/artifact/com.google.guava/guava/28.1-jre) but the plugin doesn't detect this.
To run the plugin I add the plugin block to the projects build.gradle and then run "./gradlew cyclonedxBom", not sure if I'm missing a vital step!
The text was updated successfully, but these errors were encountered: