set bom output

NovatecConsulting · Nov 26, 2024 · 029b391 · 029b391
1 parent 44e3b43
commit 029b391
Showing 1 changed file with 20 additions and 17 deletions.
diff --git a/build.gradle b/build.gradle
@@ -4,15 +4,15 @@ plugins {
     id 'org.springframework.boot' version "${springBootVersion}"
     id 'java'
     id 'idea'
-    id "org.cyclonedx.bom" version "1.10.0"
-    id "org.owasp.dependencycheck" version "11.1.0"
-    id "com.github.ben-manes.versions" version "0.51.0"
+    id "org.cyclonedx.bom" version "1.7.4"
+    id "org.owasp.dependencycheck" version "8.4.0"
+    id "com.github.ben-manes.versions" version "0.49.0"
 }
 
 apply plugin: 'io.spring.dependency-management'
 
 group = 'de.novatec'
-version = '2.3'
+version = '2.2'
 
 java {
     sourceCompatibility = '17'
@@ -22,30 +22,35 @@ repositories {
     mavenCentral()
 }
 
-test {
-    useJUnitPlatform()
-}
 
 // We only use snakeyaml transitively, but we want to force the
 // current version due to existing CVEs.
 // According to https://github.com/spring-projects/spring-boot/issues/34405
 // this is a safe
-ext['snakeyaml.version'] = '2.3'
+ext['snakeyaml.version'] = '2.0'
 
 dependencies {
-    annotationProcessor("org.projectlombok:lombok:${lombokVersion}")
-    compileOnly("org.projectlombok:lombok:${lombokVersion}")
+    annotationProcessor(
+            "org.projectlombok:lombok"
+    )
+
+    compileOnly(
+            "org.projectlombok:lombok"
+    )
 
     implementation(
             'org.springframework.boot:spring-boot-starter-web',
             'org.springframework.boot:spring-boot-starter-actuator',
             'org.springframework.boot:spring-boot-starter-validation',
 
-            "org.apache.commons:commons-text:${commonsTextVersion}",
+            'org.apache.commons:commons-text:1.10.0',
+            // If indluxdb-java is updated, check new version of the transitive dependency okio-jvm
+            // If there is a higher new version, remove the dependency override of okio-jvm
             "org.influxdb:influxdb-java:${influxdbJavaVersion}",
-    )
+            // Override transitive dependency with newer version, due to security concerns
+            "com.squareup.okio:okio-jvm:${okioJvmVersion}",
 
-    testImplementation("org.springframework.boot:spring-boot-starter-test")
+    )
 }
 
 dependencyCheck {
@@ -56,10 +61,6 @@ dependencyCheck {
             enabled = true
         }
     }
-    nvd {
-        apiKey = System.getenv("NVD_API_TOKEN")
-        delay = 10000
-    }
 }
 
 def isNonStable = { String candidate ->
@@ -115,6 +116,8 @@ tasks.withType(DependencyUpdatesTask).configureEach {
 cyclonedxBom {
     includeConfigs = ["runtimeClasspath"]
     schemaVersion = "1.4"
+    outputName = "bom"
+    outputFormat = "all"
 }
 
 tasks.register("packageBoms", Zip) {