Merge pull request #1345 from IETS3/feature/sbom-runtime-configs

arimer · web-flow · commit 2154388207a4 · 2025-06-03T17:19:13.000+02:00
sbom: include only runtime configs
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,12 @@ All notable changes to this project are documented in this file.
 Format of the log is _loosely_ based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 The project does _not_ follow Semantic Versioning and the changes are documented in reverse chronological order, grouped by calendar month.
 
+## June 2025
+
+### Changed
+
+- Published SBOM contains dependencies only from runtime configurations
+
 ## May 2025
 
 ### Changed
diff --git a/build.gradle b/build.gradle
@@ -584,4 +584,8 @@ cyclonedxBom {
     outputFormat = "json"
     // Don't include license texts in generated SBOMs
     includeLicenseText = false
+    // Include runtime only deps (bundled libs, language libs, mps)
+    def runtimeConfigs = bundledDeps.collect {it.configName }
+    runtimeConfigs.addAll([configurations.mps.name, configurations.languageLibs.name])
+    includeConfigs = runtimeConfigs
 }

Original file line number	Diff line number	Diff line change
`@@ -584,4 +584,8 @@ cyclonedxBom {`
`584`	`584`	`outputFormat = "json"`
`585`	`585`	`// Don't include license texts in generated SBOMs`
`586`	`586`	`includeLicenseText = false`
	`587`	`+ // Include runtime only deps (bundled libs, language libs, mps)`
	`588`	`+ def runtimeConfigs = bundledDeps.collect {it.configName }`
	`589`	`+ runtimeConfigs.addAll([configurations.mps.name, configurations.languageLibs.name])`
	`590`	`+ includeConfigs = runtimeConfigs`
`587`	`591`	`}`