我的问题如下...... 我尝试在这里使用 gradle 插件 https://github.com/CycloneDX/cyclonedx-gradle-plugin 来生成 cyclonedx 格式的 bom。我需要它来将其推入依赖项跟踪并分析我的依赖项。 然而我陷入了困境,因为通过命令 ./gradlew app:cyclonedxBom,我获得了 bom.xml 文件,但是这个文件没有提供有关我的项目中的依赖项的信息。
我正在 android studio 中使用以下 build.gradle 开发一个 android 项目:
plugins {
id 'com.android.application'
id 'org.cyclonedx.bom' version '1.6.1'
}
cyclonedxBom {
includeConfigs += ["compileClasspath"]
}
android {
namespace 'com.example.demo_android_app'
compileSdk 33
defaultConfig {
applicationId "com.example.demo_android_app"
minSdk 24
targetSdk 33
versionCode 1
versionName "1.0"
testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
}
buildTypes {
release {
minifyEnabled false
proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
}
}
compileOptions {
sourceCompatibility JavaVersion.VERSION_11
targetCompatibility JavaVersion.VERSION_11
}
buildFeatures {
viewBinding true
}
}
dependencies {
implementation 'androidx.appcompat:appcompat:1.4.1'
implementation 'com.google.android.material:material:1.5.0'
implementation 'androidx.constraintlayout:constraintlayout:2.1.3'
implementation 'androidx.navigation:navigation-fragment:2.5.2'
implementation 'androidx.navigation:navigation-ui:2.5.2'
implementation 'org.arakhne.afc.core:maths:17.0'
testImplementation 'junit:junit:4.13.2'
androidTestImplementation 'androidx.test.ext:junit:1.1.3'
androidTestImplementation 'androidx.test.espresso:espresso-core:3.4.0'
}
我获得了以下bom ...
<?xml version="1.0" encoding="UTF-8"?>
<bom serialNumber="urn:uuid:9032eac7-fbf1-44cf-95fe-4f41f0da7f96" version="1" xmlns="http://cyclonedx.org/schema/bom/1.4">
<metadata>
<timestamp>2023-05-24T14:21:16Z</timestamp>
<tools>
<tool>
<vendor>CycloneDX</vendor>
<name>cyclonedx-gradle-plugin</name>
<version>1.6.1</version>
</tool>
</tools>
<component type="library" bom-ref="pkg:maven/demo-android-app/app@unspecified">
<group>demo-android-app</group>
<name>app</name>
<version>unspecified</version>
<purl>pkg:maven/demo-android-app/app@unspecified</purl>
</component>
</metadata>
</bom>
如您所见,没有有关依赖项的信息。
我也尝试按照插件仓库中的自述文件所述更改插件的配置,但无论如何我还没有找到解决方案。
cyclonedxBom {
// includeConfigs is the list of configuration names to include when generating the BOM (leave empty to include every configuration)
includeConfigs = ["runtimeClasspath"]
// skipConfigs is a list of configuration names to exclude when generating the BOM
skipConfigs = ["compileClasspath", "testCompileClasspath"]
// skipProjects is a list of project names to exclude when generating the BOM
skipProjects = [rootProject.name, "yourTestSubProject"]
// Specified the type of project being built. Defaults to 'library'
projectType = "application"
// Specified the version of the CycloneDX specification to use. Defaults to '1.4'
schemaVersion = "1.4"
// Boms destination directory. Defaults to 'build/reports'
destination = file("build/reports")
// The file name for the generated BOMs (before the file format suffix). Defaults to 'bom'
outputName = "bom"
// The file format generated, can be xml, json or all for generating both. Defaults to 'all'
outputFormat = "json"
// Exclude BOM Serial Number. Defaults to 'true'
includeBomSerialNumber = false
// Exclude License Text. Defaults to 'true'
includeLicenseText = false
// Override component version. Defaults to the project version
componentVersion = "2.0.0"
}
我希望有人能帮助我。