https://github.com/CycloneDX/cyclonedx-gradle-plugin/releases/tag/cyclonedx-gradle-plugin-2.4.0
Comment From: ThomasVitale
@mhalbritter The CycloneDX support in Spring Boot 3.5 breaks when upgrading the CycloneDX Gradle Plugin to version 2.4.0. That's probably related to a change to where and how SBOM files are generated in the new version of the plugin, resulting in the creation of two copies of the SBOM. Should this be considered a bug or a documentation issue about supported versions (considering the version of the CycloneDX Gradle Plugin is not controlled via Spring Boot dependency management like in Maven: https://docs.spring.io/spring-boot/how-to/build.html#howto.build.generate-cyclonedx-sbom and https://docs.spring.io/spring-boot/gradle-plugin/reacting.html#reacting-to-other-plugins.cyclonedx)?
> Task :processResources FAILED
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':processResources'.
> Entry META-INF/sbom/application.cdx.json is a duplicate but no duplicate handling strategy has been set. Please refer to https://docs.gradle.org/9.1.0/dsl/org.gradle.api.tasks.Copy.html#org.gradle.api.tasks.Copy:duplicatesStrategy for details.
Comment From: ThomasVitale
I'm aware there are some incompatibilities with Gradle 9, still. So I tried the same as above in a Gradle 8 project, and the build fails in the same way. Using Spring Boot 3.5.6, Gradle 8.14.3, and Java 21.
> Task :processResources FAILED
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':processResources'.
> Entry META-INF/sbom/application.cdx.json is a duplicate but no duplicate handling strategy has been set. Please refer to https://docs.gradle.org/8.14.3/dsl/org.gradle.api.tasks.Copy.html#org.gradle.api.tasks.Copy:duplicatesStrategy for details.
Comment From: mhalbritter
Thanks for trying. Does it also happen with Spring Boot 4.0.0-M3? We'd make that change in Boot 4.0.x only.
Comment From: ThomasVitale
Yes, it happens on both Spring Boot 3.5.6 and 4.0.0-M3.
Comment From: wilkinsona
This looks to be a bug in the new version of the CycloneDX Gradle Plugin:
plugins {
id 'java'
id 'org.cyclonedx.bom' version '2.4.0'
}
group = 'com.example'
version = '0.0.1-SNAPSHOT'
repositories {
mavenCentral()
}
dependencies {
implementation 'org.springframework.boot:spring-boot-starter:3.5.6'
}
tasks.named("processResources") {
from(tasks.named("cyclonedxBom")) {
include("bom.json")
}.into("META-INF/sbom")
}
The above will fail when running processResources:
$ ./gradlew jar
> Task :processResources FAILED
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':processResources'.
> Entry bom.json is a duplicate but no duplicate handling strategy has been set. Please refer to https://docs.gradle.org/8.14.3/dsl/org.gradle.api.tasks.Copy.html#org.gradle.api.tasks.Copy:duplicatesStrategy for details.
* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.
> Get more help at https://help.gradle.org.
BUILD FAILED in 572ms
3 actionable tasks: 1 executed, 2 up-to-date
It appears that the bom.json file is declared multiple times in the outputs of the cyclonedxBom task.
@ThomasVitale could you please report this to the plugin's maintainers?
Comment From: ThomasVitale
@wilkinsona thanks for the information. I can see the bug has been reported already: https://github.com/CycloneDX/cyclonedx-gradle-plugin/issues/686
Comment From: wilkinsona
Thanks, Thomas. I've commented on the existing issue with the simpler reproducer above that doesn't involve Boot's Gradle plugin.