Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handling sub-components of the root component the same as all other components #1371

Merged
merged 1 commit into from
Sep 17, 2024
Merged

Handling sub-components of the root component the same as all other components #1371

merged 1 commit into from
Sep 17, 2024

Conversation

malice00
Copy link
Contributor

After adding the option to resolve Gradle modules from NPM packages and adding the new SBOM in Dependency-Track, I noticed the components didn't have licenses set. Checking the actual packages if they actually have licenses configured, I found that the licenses were removed on sub-components of the root component.

This PR fixes this issue and uses the same method(s) to convert the 'temporary' objects to their correct SBOM counterparts.

I just noticed this removes all code that fixed #479, but all tests are still running and my projects also work like before... If anybody has some Gradle projects they could run through it before we merge, that would be great!

@prabhu
Copy link
Contributor

prabhu commented Sep 11, 2024

@malice00 Could you create a test case for the problem you are facing? Maybe there is a better fix. The particular code you have changed could create more problems in the field, since it has quite a few hacks.

@malice00
Copy link
Contributor Author

Maybe I could leave the fix in... The issue I am having is with the call to cleanParentComponent, which removes the license(s), repository and some other potentially useful info.
Might not be relevant if all modules are yours, but in my. case, where they are actually other packages of which I need to know the license, this call removes everything.

A test using the fineract repo, which you pointed out to me for some tests a while back, seems to work fine with this PR though.

@prabhu
Copy link
Contributor

prabhu commented Sep 11, 2024
edited
Loading

It's only removing component.license. If we set the fully constructed licenses (with s), it must get retained correctly. Can you check?

@malice00
Copy link
Contributor Author

It does, that was my first solution. However, things like repository and homepage (aka the externalReferences) are also removed. I figured, since the specs says they are the same type of object as the other components, why not construct them in the same way? Same could actually be said for the root component...

The problem is, I currently can't reproduce #479, even with the same project that I had when I reported the issue. It might have been resolved by one of the other changes I made recently, where the names of the modules have been corrected.

I'll take another stab at it, I just got some ideas!

@malice00 malice00 force-pushed the fix/component_licenses branch 3 times, most recently from 164ea4e to 079fce3 Compare September 16, 2024 19:08
@prabhu prabhu merged commit 15b3fdc into CycloneDX:master Sep 17, 2024
20 of 21 checks passed
@malice00 malice00 deleted the fix/component_licenses branch September 17, 2024 08:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prabhu prabhu prabhu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Changes to 'createJarBom' break single-module Gradle project when running multi-language
2 participants
@malice00 @prabhu