Gradle configurations not being merged, resulting bom is made by a single random configuration

[37IulianPopovici]

Hey 👋, I was testing the Gradle plugin and found that the plugin does not create an aggregate of all direct and transitive dependencies of a project. In this case, the resulting BOM reflects the dep tree of a random configuration (the last configuration that was looped). This applies also for the usage of --init-script

Different configurations are not merged together, the resulting BOM contains just the transitives of a single random configuration.

How to replicate:

1. Clone locally this boilerplate

2. Run cd lib

3. Look at bom.json, the "pkg:maven/org.apache.kafka/[email protected]?type=jar" has no "dependsOn" at this moment:
   

4. Run gradle clean

5. Run gradle cyclonedxBom -info

6. The output of bom.json might have changed, including the transitives for the "pkg:maven/org.apache.kafka/[email protected]?type=jar", if not, repeat Step 5 and 6
   

Expecting result:
The gradle cyclonedxBom should produce the same output every time, an output that would merge all the dep trees resolved by all configurations (Ran gradle dependencies -q to get all the configs and their trees)

I am also looking to solve this issue, if you have any tips or idea that might help me, please let me know.

Gradle Version 7.6.3
Java Version 17.0.9

[skhokhlov]

I think we have 2 sources of this issue that together are leading to this bug:

1. Gradle provides dependencies in a random order each time
2. CycloneDX plugins is trying to avoid cycles in dependency graph and visiting dependencies only once for each configuration

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.