[Gradle] Don't use full multi-threading, SBOMs can be completely wrong #1376
Conversation
… projects with lots of dependencies Signed-off-by: Roland Asmann <[email protected]>
malice00
force-pushed
the
fix/no_parallel
branch
from
811705f
to
a255781
Compare
|
I can imagine why this might be happening. Do you have an example for the mangled sbom and the sbom where the version number doesn't match? Is this issue reproducible on a fresh repo with the first build? |
|
It's not the SBOM that's mangled, it's Gradle's output. Although the generated SBOM then also has some weird issues (like duplicate 'GradleProfileName' entries. Anyway, I was testing this with Fineract (commit 02296305c) using cdxgen master (commit 34e13f1) vs this branch. For the mangled output, check 'master/multithread.out', eg from line 10605. |
When using the feature
GRADLE_MULTI_THREADEDon large projects, the output of the dependency-tree can be mangled and there is no guarantee the same SBOM is generated between multiple runs!To fix this, I added the parameter '--no-parallel' to the Gradle-command, which in my tests didn't show a significant difference in duration. The output SBOM however was consistent every time, although in one of the projects there is a difference with the non-multithreaded version in the versions of dependencies!
Unfortunately this is caused by Gradle itself -- manual inspection of the outputs of all commands shows, that Gradle is actually reporting different versions of dependencies for some modules in the project! I assume this is something similar to Maven: because there can only be 1 version of a JAR in the classpath, it gets corrected to specific version (by whatever kind of resolution). This would mean, that the current non-multithreaded version would actually be reporting false dependencies in some cases...