3.0.1

Bug Fixes

• Fix ZipException when extracting POM #596

Full Changelog

• build(deps): bump org.cyclonedx.bom from 2.4.1 to 3.0.0 by @dependabot[bot] in #704
• fix: read pom files directly by @lorenzbaier in #701
• build: prepare version 3.0.1 by @skhokhlov in #705

New Contributors

• @lorenzbaier made their first contribution in #701

Full Changelog: cyclonedx-gradle-plugin-3.0.0...cyclonedx-gradle-plugin-3.0.1

3.0.0

This release introduces important breaking changes to the CycloneDX Gradle Plugin configuration and behavior.
These changes bring the plugin in line with Gradle’s direction, ensuring full compatibility with Gradle 9
while improving correctness and concurrency. Each subproject is now evaluated, configured, and resolved
independently, removing prior conflicts with Gradle’s parallel execution model.

Breaking Changes

• A new task cyclonedxDirectBom has been added to generate a BOM for a single project. The existing cyclonedxBom task now acts as an aggregator, combining BOMs from all subprojects into one
• Configuration properties that were deprecated in 2.4.0 removed now: destination, outputName, and outputFormat, gitVCS. Removed support for String input for schemaVersion and projectType
• Properties skipConfigs, includeConfigs, includeMetadataResolution were removed from cyclonedxBom task. They moved to cyclonedxDirectBom and should be configued for each project explicitly
• Setters and getters were removed from tasks. Now configuration properties should be accessed directly
• Default output locations changed from ./build/reports/bom.{xml,json} to build/reports/cyclonedx-direct/bom.{xml,json} for cyclonedxDirectBom, and to build/reports/cyclonedx/bom.{xml,json} for cyclonedxBom
• Removed clojure based configuration of organizationalEntity and licenseChoice, they must be configured with direct object assignment
• Fully qualified name for tasks changed. Task class org.cyclonedx.gradle.CycloneDxTask removed. Added org.cyclonedx.gradle.CyclonedxAggregateTask, org.cyclonedx.gradle.CyclonedxDirectTask, both extend org.cyclonedx.gradle.BaseCyclonedxTask

New Featues

• Collect sbom per project, add cyclonedxAggregateBom task by @skhokhlov in #661

Bug Fixes

• Skip repositories without url in distributionManagement by @xvik in #673
• Stop adding self references and dependency constraints as direct dependencies by @tjog in #670

Full Changelog

• refactor: use Logging#getLogger for logs by @skhokhlov in #664
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in #662
• refactor: migrate to jspecify annotations by @skhokhlov in #665
• build(deps): bump com.uber.nullaway:nullaway from 0.12.8 to 0.12.9 by @dependabot[bot] in #666
• build: prepare version 3.0.0-alpha-0 by @skhokhlov in #668
• test: run tests with java 8 and 11 by @skhokhlov in #672
• build(deps): bump actions/setup-java from 4.7.1 to 5.0.0 by @dependabot[bot] in #671
• Skip repositories without url in distributionManagement by @xvik in #673
• refactor: use Gradle's JavaVersion class by @skhokhlov in #674
• Stop adding self references and dependency constraints as direct dependencies by @tjog in #670
• Remove extension by @skhokhlov in #675
• build: prepare version 3.0.0-alpha-1 by @skhokhlov in #676
• chore: migrate issue templates to forms by @skhokhlov in #680
• build(deps): bump gradle/actions from 4.4.2 to 4.4.3 by @dependabot[bot] in #678
• build(deps): bump org.cyclonedx.bom from 2.3.1 to 2.4.0 by @dependabot[bot] in #684
• build(deps): bump com.uber.nullaway:nullaway from 0.12.9 to 0.12.10 by @dependabot[bot] in #685
• build(deps): bump com.gradle.plugin-publish from 1.3.1 to 2.0.0 by @dependabot[bot] in #677
• build: upgrade gradle to 9.1.0 by @skhokhlov in #687
• Java 25 by @skhokhlov in #688
• build(deps): bump org.cyclonedx.bom from 2.4.0 to 2.4.1 by @dependabot[bot] in #693
• build: use jdk 21 as default by @skhokhlov in #695
• fix: register direct bom task once by @skhokhlov in #694
• build(deps): bump org.cyclonedx:cyclonedx-core-java from 10.2.1 to 11.0.0 by @dependabot[bot] in #698
• build(deps): bump gradle/actions from 4.4.3 to 4.4.4 by @dependabot[bot] in #697
• build: prepare version 3.0.0-alpha-2 by @skhokhlov in #699
• build(deps): bump com.diffplug.spotless from 7.2.1 to 8.0.0 by @dependabot[bot] in #696

New Contributors

• @xvik made their first contribution in #673
• @tjog made their first contribution in #670

Full Changelog: cyclonedx-gradle-plugin-2.4.1...cyclonedx-gradle-plugin-3.0.0

CycloneDX Gradle Plugin Migration Guide: 2.4.1 → 3.0.0

This guide covers the breaking changes and migration steps required when upgrading from CycloneDX Gradle Plugin version 2.4.1 to 3.0.0.

Task Behavior and Naming Changes

Version 2.4.1: Single Task Model

# Single task for all scenarios
gradle cyclonedxBom

Version 3.0.0: Dual Task Model

# Generate per-project SBOMs (individual projects)
gradle cyclonedxDirectBom

# Generate aggregated SBOM (multi-project builds)
gradle cyclonedxBom

Task Behavior Changes

Aspect	Version 2.4.1	Version 3.0.0
Per-project SBOMs	Single task handled both	cyclonedxDirectBom task
Multi-project aggregation	Single task handled both	cyclonedxBom task
Output location	./build/reports/bom.{xml,json}	Direct: build/reports/cyclonedx-direct/bom.{xml,json} Aggregate: build/reports/cyclonedx/bom.{xml,json}
Task types	Single task class	CyclonedxDirectTask and CyclonedxAggregateTask

Configuration Method Changes

❌ Version 2.4.1: Single task configuration

// OLD - No longer supported
tasks.cyclonedxBom {
    setIncludeConfigs(["runtimeClasspath"])
    setDestination(file("build/reports"))
    setOutputName("bom")
    setOutputFormat("json")
}

✅ Version 3.0.0: Project-scoped task configuration

// NEW
tasks.cyclonedxDirectBom {
    includeConfigs = ["runtimeClasspath"]
    jsonOutput = file("build/reports/sbom/bom.json")
    xmlOutput = file("build/reports/sbom/bom.xml")
}
tasks.cyclonedxBom {
    jsonOutput = file("build/reports/sbom/bom.json")
    xmlOutput = file("build/reports/sbom/bom.xml")
}

Plugin Application Recommendations

Version 2.4.1: Multiple Application Strategies

// Applied to individual projects OR used in init scripts
plugins {
    id 'org.cyclonedx.bom' version '2.4.1'
}

Version 3.0.0: Root Project Application

// ROOT PROJECT build.gradle - RECOMMENDED
plugins {
    id 'org.cyclonedx.bom' version '3.0.0'
}

cyclonedxBom {
    // Configuration applies to both direct and aggregate tasks
}

Output Configuration Changes

Version 2.4.1: Combined Output Properties (deprecated since 2.4.0)

cyclonedxBom {
    destination = file("build/reports")          // Directory
    outputName = "bom"                           // Base filename
    outputFormat = "json"                        // Format: xml, json, all
}

Version 3.0.0: Explicit File Properties

tasks.cyclonedxBom {
    // Explicit file paths for each format
    jsonOutput = file("build/reports/sbom/bom.json")
    xmlOutput = file("build/reports/sbom/bom.xml")
}

// Or disable specific formats
tasks.withType<CyclonedxDirectTask> {
    xmlOutput.unsetConvention()  // Generate JSON only
}

Migration Example

// OLD (2.4.1)
cyclonedxBom {
    destination = file("build/custom")
    outputName = "my-sbom"
    outputFormat = "json"
}

// NEW (3.0.0)
tasks.cyclonedxBom {
    jsonOutput = file("build/custom/my-sbom.json")
    // xmlOutput omitted = only JSON generated
}

Schema Version Configuration Changes

Version 2.4.1: String-Based (deprecated since 2.4.0)

cyclonedxBom {
    schemaVersion = "1.6"
}

Version 3.0.0: Enum-Based

import org.cyclonedx.model.schema.SchemaVersion

tasks.cyclonedxBom {
    schemaVersion = SchemaVersion.VERSION_16
}
tasks.cyclonedxDirectBom {
    schemaVersion = SchemaVersion.VERSION_16
}

Organizational Entity Configuration

Version 2.4.1: Closure-Based Configuration (deprecated since 2.4.0)

cyclonedxBom {
    // Closure-based approach
    organizationalEntity { oe ->
        oe.name = 'Test Co...

cyclonedx-gradle-plugin-3.0.0-alpha-2

What's Changed

• chore: migrate issue templates to forms by @skhokhlov in #680
• build(deps): bump gradle/actions from 4.4.2 to 4.4.3 by @dependabot[bot] in #678
• build(deps): bump org.cyclonedx.bom from 2.3.1 to 2.4.0 by @dependabot[bot] in #684
• build(deps): bump com.uber.nullaway:nullaway from 0.12.9 to 0.12.10 by @dependabot[bot] in #685
• build(deps): bump com.gradle.plugin-publish from 1.3.1 to 2.0.0 by @dependabot[bot] in #677
• build: upgrade gradle to 9.1.0 by @skhokhlov in #687
• Java 25 by @skhokhlov in #688
• build(deps): bump org.cyclonedx.bom from 2.4.0 to 2.4.1 by @dependabot[bot] in #693
• build: use jdk 21 as default by @skhokhlov in #695
• fix: register direct bom task once by @skhokhlov in #694
• build(deps): bump org.cyclonedx:cyclonedx-core-java from 10.2.1 to 11.0.0 by @dependabot[bot] in #698
• build(deps): bump gradle/actions from 4.4.3 to 4.4.4 by @dependabot[bot] in #697
• build: prepare version 3.0.0-alpha-2 by @skhokhlov in #699

Full Changelog: cyclonedx-gradle-plugin-3.0.0-alpha-1...cyclonedx-gradle-plugin-3.0.0-alpha-2

CycloneDX Gradle Plugin Migration Guide: 2.4.1 → 3.0.0-alpha-2

This guide covers the breaking changes and migration steps required when upgrading from CycloneDX Gradle Plugin version 2.4.1 to 3.0.0-alpha-2.

Important

There are breaking changes since 3.0.0-alpha-0. This guide does not cover it.

Task Behavior and Naming Changes

Version 2.4.1: Single Task Model

# Single task for all scenarios
gradle cyclonedxBom

Version 3.0.0: Dual Task Model

# Generate per-project SBOMs (individual projects)
gradle cyclonedxDirectBom

# Generate aggregated SBOM (multi-project builds)
gradle cyclonedxBom

Task Behavior Changes

Aspect	Version 2.4.1	Version 3.0.0
Per-project SBOMs	Single task handled both	cyclonedxDirectBom task
Multi-project aggregation	Single task handled both	cyclonedxBom task (when plugin applied to root)
Output location	./build/reports/bom.{xml,json}	Direct: build/reports/cyclonedx-direct/bom.{xml,json} Aggregate: build/reports/cyclonedx/bom.{xml,json}
Task types	Single task class	CyclonedxDirectTask and CyclonedxAggregateTask

Configuration Method Changes

❌ Version 2.4.1: Single task configuration

// OLD - No longer supported
tasks.cyclonedxBom {
    setIncludeConfigs(["runtimeClasspath"])
    setDestination(file("build/reports"))
    setOutputName("bom")
    setOutputFormat("json")
}

✅ Version 3.0.0: Project-scoped task configuration

// NEW
tasks.cyclonedxDirectBom {
    includeConfigs = ["runtimeClasspath"]
    jsonOutput = file("build/reports/sbom/bom.json")
    xmlOutput = file("build/reports/sbom/bom.xml")
}
tasks.cyclonedxBom {
    jsonOutput = file("build/reports/sbom/bom.json")
    xmlOutput = file("build/reports/sbom/bom.xml")
}

Plugin Application Recommendations

Version 2.4.1: Multiple Application Strategies

// Applied to individual projects OR used init scripts
plugins {
    id 'org.cyclonedx.bom' version '2.4.1'
}

Version 3.0.0: Root Project Application

// ROOT PROJECT build.gradle - RECOMMENDED
plugins {
    id 'org.cyclonedx.bom' version '3.0.0'
}

cyclonedxBom {
    // Configuration applies to both direct and aggregate tasks
}

Output Configuration Changes

Version 2.4.1: Combined Output Properties (deprecated since 2.4.0)

cyclonedxBom {
    destination = file("build/reports")          // Directory
    outputName = "bom"                           // Base filename
    outputFormat = "json"                        // Format: xml, json, all
}

Version 3.0.0: Explicit File Properties

tasks.cyclonedxBom {
    // Explicit file paths for each format
    jsonOutput = file("build/reports/sbom/bom.json")
    xmlOutput = file("build/reports/sbom/bom.xml")
}

// Or disable specific formats
tasks.withType<CyclonedxDirectTask> {
    xmlOutput.unsetConvention()  // Generate JSON only
}

Migration Example

// OLD (2.4.1)
cyclonedxBom {
    destination = file("build/custom")
    outputName = "my-sbom"
    outputFormat = "json"
}

// NEW (3.0.0)
tasks.cyclonedxBom {
    jsonOutput = file("build/custom/my-sbom.json")
    // xmlOutput omitted = only JSON generated
}

Schema Version Configuration Changes

Version 2.4.1: String-Based (deprecated since 2.4.0)

cyclonedxBom {
    schemaVersion = "1.6"
}

Version 3.0.0: Enum-Based

import org.cyclonedx.model.schema.SchemaVersion

tasks.cyclonedxBom {
    schemaVersion = SchemaVersion.VERSION_16
}
tasks.cyclonedxDirectBom {
    schemaVersion = SchemaVersion.VERSION_16
}

Organizational Entity Configuration

Version 2.4.1: Closure-Based Configuration (deprecated since 2.4.0)

cyclonedxBom {
    // Closure-based approach
    organizationalEntity { oe ->
        oe.name = 'Test Company'
        oe.url = ['www.test1.com', 'www.test2.com']
        oe.addContact(organizationalContact)
    }
}

Version 3.0.0: Direct Object Assignment

import org.cyclonedx.model.*

tasks.cyclonedxBom {
    // Direct object assignment
    organizationalEntity = OrganizationalEntity().apply {
        name = "ACME Corporation"
        urls = listOf("https://www.acme.com", "https://security.acme.com")
        addContact(OrganizationalContact().apply {
            name = "Security Team"
            email = "[email protected]"
            phone = "+1-555-SECURITY"
        })
    }
}

License Choice Configuration

Version 2.4.1: Closure-Based Configuration (deprecated since 2.4.0)

cyclonedxBom {
    // Closure-based approach
    licenseChoice { lc ->
        License license = new License()
        license.setName("Apache-2.0")
        license.setUrl("https://www.apache.org/licenses/LICENSE-2.0.txt")
        lc.addLicense(license)
    }
}

Version 3.0.0: Direct Object Assignment

import org.cyclonedx.model.*

tasks.cyclonedxBom {
    // Direct object assignment
    licenseChoice = LicenseChoice().apply {
        addLicense(License().apply {
            name = "Apache-2.0"
            url = "https://www.apache.org/licenses/LICENSE-2.0.txt"
        })
    }
}

External References Configuration

Version 2.4.1: VCS Git Configuration (deprecated since 2.4.0)

cyclonedxBom {
    // VCS-specific configuration
    setVCSGit { vcs ->
        vcs.url = "https://github.com/example/repo.git"
        vcs.comment = "Source repository"
    }
}

Version 3.0.0: Generic External References

import org.cyclonedx.model.*

tasks.cyclonedxBom {
    // Generic external references
    externalReferences = listOf(
        ExternalReference().apply {
            url = "https://github.com/example/repo.git"
            type = ExternalReference.Type.VCS
        },
        ExternalReference().apply {
            url = "https://example.com/docs"
            type = ExternalReference.Type.DOCUMENTATION
        }
    )
}

Multi-Project Setup Changes

# Generate per-project SBOMs for all projects
./gradlew cyclonedxDirectBom

# Generate single aggregated SBOM
./gradlew cyclonedxBom

Breaking Changes Summary

🚨 Critical Breaking Changes

1. Task configuration syntax changes
2. Output property names changed - destination/outputName/outputFormat (deprecated since 2.4.0) → jsonOutput/xmlOutput
3. Metadata configuration syntax changed - Closures (deprecated since 2.4.0) → Object assignment

⚠️ Behavioral Changes

1. New task structure - Two tasks instead of one
2. Different default output locations
3. Plugin should be applied to root project for aggregation

Step-by-Step Migration Process

1. Update Plugin Version

plugins {
    id("org.cyclonedx.bom") version "3.0.0"
}

2. Update Output Configuration

// OLD
cyclonedxBom {
    destination = file("build/reports")
    outputName = "sbom"
    outputFormat = "json"
}

// NEW
tasks.cyclonedxBom {
    jsonOutput = file("build/reports/sbom.json")
    xmlOutput.unsetConvention()
}

3. Update Schema Version

import org.cyclonedx.model.schema.SchemaVersion

tasks.cyclonedxBom {
    schemaVersion = SchemaVersion.VERSION_16
}

4. Migrate Metadata Configuration

import org.cyclonedx.model.*

tasks.cyclonedxBom {
    // Convert closure-based to object assignment
    organizationalEntity = OrganizationalEntity().apply {
        // configuration
    }
    
    licenseChoice = LicenseChoice().apply {
        // configuration
    }
    
    externalReferences = listOf(
        ExternalReference().apply {
            // configuration
        }
    )
}
`...

2.4.1

Bug Fixes

• Explicit setters added for schemaVersion and projectType to support Groovy DSL #690
• cyclonedxBom task declares duplicate outputs #686

Full Changelog

• #686 cyclonedxBom task declares duplicate output by @skhokhlov in #691
• test: configure schemaVersion and projectType with java objects by @skhokhlov in #692

cyclonedx-gradle-plugin-2.4.0...cyclonedx-gradle-plugin-2.4.1

2.4.0

New Features and Deprecations

• New jsonOutput and xmlOutput properties to configure BOM output locations. Existing properties destination, outputName, and outputFormat deprecated
• Direct task properties configuration is allowed, property setters deprecated
• schemaVersion property prefers input as org.cyclonedx.Version, String input deprecated
• projectType property prefers input as org.cyclonedx.model.Component.Type, String input deprecated
• gitVCS now can be configured as externalReferences and accept multiple values, configuration as gitVCS deprecated

Bug Fixes

• Generated SBOM contains access token #581
• Project version might not be picked up #650
• org.cyclonedx:cyclonedx-core-java was not declared as an API dependency #655

Dependency Updates

• Gradle from 8.14 to 9
• org.apache.maven:maven-core from 3.9.10 to 3.9.11
• commons-codec:commons-codec from 1.18.0 to 1.19.0
• commons-io:commons-io from 2.19.0 to 2.20.0

Full Changelog

• build(deps): bump org.cyclonedx.bom from 2.3.0 to 2.3.1 by @dependabot[bot] in #622
• Update Gradle Wrapper from 8.14 to 8.14.1 by @github-actions[bot] in #621
• build: run one build with multijdk tests by @skhokhlov in #623
• build(deps): bump com.diffplug.spotless from 6.13.0 to 7.0.4 by @dependabot[bot] in #624
• build(deps): bump org.apache.maven:maven-core from 3.9.9 to 3.9.10 by @dependabot[bot] in #628
• build(deps): bump gradle/actions from 4.4.0 to 4.4.1 by @dependabot[bot] in #633
• build(deps): bump com.diffplug.spotless from 7.0.4 to 7.1.0 by @dependabot[bot] in #640
• build(deps): bump org.apache.maven:maven-core from 3.9.10 to 3.9.11 by @dependabot[bot] in #642
• build(deps): bump commons-codec:commons-codec from 1.18.0 to 1.19.0 by @dependabot[bot] in #649
• build(deps): bump com.diffplug.spotless from 7.1.0 to 7.2.1 by @dependabot[bot] in #648
• build(deps): bump commons-io:commons-io from 2.19.0 to 2.20.0 by @dependabot[bot] in #645
• build: enable build cache and configuration cache by @skhokhlov in #651
• build: explicitly set java 8 as a target version and java 21 to run g… by @skhokhlov in #653
• docs: update CONTRIBUTING.md by @skhokhlov in #652
• fix: use provider for component version convention by @sergej-koscejev in #650
• build: Make org.cyclonedx:cyclonedx-core-java an api dependency by @zarebski-m in #656
• build: upgrade to gradle 9 by @skhokhlov in #657
• build(deps): bump gradle/actions from 4.4.1 to 4.4.2 by @dependabot[bot] in #658
• build(deps): bump org.junit.jupiter:junit-jupiter-api from 5.11.4 to 5.13.4 by @dependabot[bot] in #646
• fix: scrub credentials from git url by @MalickBurger in #663
• feat: deprecate task property setters by @skhokhlov in #681
• fix: store bom once by @skhokhlov in #682
• doc: update usage examples with new properties by @skhokhlov in #683
• doc: update version to 2.4.0 by @skhokhlov in #683

cyclonedx-gradle-plugin-2.3.1...cyclonedx-gradle-plugin-2.4.0

New Contributors

• @sergej-koscejev made their first contribution in #650
• @zarebski-m made their first contribution in #656
• @MalickBurger made their first contribution in #663

3.0.0-alpha-1

What's Changed

• test: run tests with java 8 and 11 by @skhokhlov in #672
• build(deps): bump actions/setup-java from 4.7.1 to 5.0.0 by @dependabot[bot] in #671
• Skip repositories without url in distributionManagement by @xvik in #673
• refactor: use Gradle's JavaVersion class by @skhokhlov in #674
• Stop adding self references and dependency constraints as direct dependencies by @tjog in #670
• Remove extenstion by @skhokhlov in #675
• build: prepare version 3.0.0-alpha-1 by @skhokhlov in #676

New Contributors

• @xvik made their first contribution in #673
• @tjog made their first contribution in #670

Full Changelog: cyclonedx-gradle-plugin-3.0.0-alpha-0...cyclonedx-gradle-plugin-3.0.0-alpha-1

CycloneDX Gradle Plugin Migration Guide: 2.3.1 → 3.0.0-alpha-1

This guide covers the breaking changes and migration steps required when upgrading from CycloneDX Gradle Plugin version 2.3.1 to 3.0.0-alpha-1.

Important

There are breaking changes since 3.0.0-alpha-0. This guide does not cover it.

Task Behavior and Naming Changes

Version 2.3.1: Single Task Model

# Single task for all scenarios
gradle cyclonedxBom

Version 3.0.0: Dual Task Model

# Generate per-project SBOMs (individual projects)
gradle cyclonedxDirectBom

# Generate aggregated SBOM (multi-project builds)
gradle cyclonedxBom

Task Behavior Changes

Aspect	Version 2.3.1	Version 3.0.0
Per-project SBOMs	Single task handled both	cyclonedxDirectBom task
Multi-project aggregation	Single task handled both	cyclonedxBom task (when plugin applied to root)
Output location	./build/reports/bom.{xml,json}	Direct: build/reports/cyclonedx-direct/bom.{xml,json} Aggregate: build/reports/cyclonedx/bom.{xml,json}
Task types	Single task class	CyclonedxDirectTask and CyclonedxAggregateTask

Configuration Method Changes

❌ Version 2.3.1: Single task configuration

// OLD - No longer supported
tasks.cyclonedxBom {
    setIncludeConfigs(["runtimeClasspath"])
    setDestination(file("build/reports"))
    setOutputName("bom")
    setOutputFormat("json")
}

✅ Version 3.0.0: Project-scoped task configuration

// NEW
tasks.cyclonedxDirectBom {
    includeConfigs = ["runtimeClasspath"]
    jsonOutput = file("build/reports/sbom/bom.json")
    xmlOutput = file("build/reports/sbom/bom.xml")
}
tasks.cyclonedxBom {
    jsonOutput = file("build/reports/sbom/bom.json")
    xmlOutput = file("build/reports/sbom/bom.xml")
}

Plugin Application Recommendations

Version 2.3.1: Multiple Application Strategies

// Applied to individual projects OR used init scripts
plugins {
    id 'org.cyclonedx.bom' version '2.3.1'
}

Version 3.0.0: Root Project Application

// ROOT PROJECT build.gradle - RECOMMENDED
plugins {
    id 'org.cyclonedx.bom' version '3.0.0'
}

cyclonedxBom {
    // Configuration applies to both direct and aggregate tasks
}

Output Configuration Changes

Version 2.3.1: Combined Output Properties

cyclonedxBom {
    destination = file("build/reports")           // Directory
    outputName = "bom"                           // Base filename
    outputFormat = "json"                        // Format: xml, json, all
}

Version 3.0.0: Explicit File Properties

tasks.cyclonedxBom {
    // Explicit file paths for each format
    jsonOutput = file("build/reports/sbom/bom.json")
    xmlOutput = file("build/reports/sbom/bom.xml")
}

// Or disable specific formats
tasks.withType<CyclonedxDirectTask> {
    xmlOutput.unsetConvention()  // Generate JSON only
}

Migration Example

// OLD (2.3.1)
cyclonedxBom {
    destination = file("build/custom")
    outputName = "my-sbom"
    outputFormat = "json"
}

// NEW (3.0.0)
tasks.cyclonedxBom {
    jsonOutput = file("build/custom/my-sbom.json")
    // xmlOutput omitted = only JSON generated
}

Schema Version Configuration Changes

Version 2.3.1: String-Based

cyclonedxBom {
    schemaVersion = "1.6"
}

Version 3.0.0: Enum-Based

import org.cyclonedx.model.schema.SchemaVersion

tasks.cyclonedxBom {
    schemaVersion = SchemaVersion.VERSION_16
}
tasks.cyclonedxDirectBom {
    schemaVersion = SchemaVersion.VERSION_16
}

Organizational Entity Configuration

Version 2.3.1: Closure-Based Configuration

cyclonedxBom {
    // Closure-based approach
    organizationalEntity { oe ->
        oe.name = 'Test Company'
        oe.url = ['www.test1.com', 'www.test2.com']
        oe.addContact(organizationalContact)
    }
}

Version 3.0.0: Direct Object Assignment

import org.cyclonedx.model.*

tasks.cyclonedxBom {
    // Direct object assignment
    organizationalEntity = OrganizationalEntity().apply {
        name = "ACME Corporation"
        urls = listOf("https://www.acme.com", "https://security.acme.com")
        addContact(OrganizationalContact().apply {
            name = "Security Team"
            email = "[email protected]"
            phone = "+1-555-SECURITY"
        })
    }
}

License Choice Configuration

Version 2.3.1: Closure-Based Configuration

cyclonedxBom {
    // Closure-based approach
    licenseChoice { lc ->
        License license = new License()
        license.setName("Apache-2.0")
        license.setUrl("https://www.apache.org/licenses/LICENSE-2.0.txt")
        lc.addLicense(license)
    }
}

Version 3.0.0: Direct Object Assignment

import org.cyclonedx.model.*

tasks.cyclonedxBom {
    // Direct object assignment
    licenseChoice = LicenseChoice().apply {
        addLicense(License().apply {
            name = "Apache-2.0"
            url = "https://www.apache.org/licenses/LICENSE-2.0.txt"
        })
    }
}

External References Configuration

Version 2.3.1: VCS Git Configuration

cyclonedxBom {
    // VCS-specific configuration
    setVCSGit { vcs ->
        vcs.url = "https://github.com/example/repo.git"
        vcs.comment = "Source repository"
    }
}

Version 3.0.0: Generic External References

import org.cyclonedx.model.*

tasks.cyclonedxBom {
    // Generic external references
    externalReferences = listOf(
        ExternalReference().apply {
            url = "https://github.com/example/repo.git"
            type = ExternalReference.Type.VCS
        },
        ExternalReference().apply {
            url = "https://example.com/docs"
            type = ExternalReference.Type.DOCUMENTATION
        }
    )
}

Multi-Project Setup Changes

# Generate per-project SBOMs for all projects
./gradlew cyclonedxDirectBom

# Generate single aggregated SBOM
./gradlew cyclonedxBom

Breaking Changes Summary

🚨 Critical Breaking Changes

2. Task configuration syntax changes
3. Output property names changed - destination/outputName/outputFormat → jsonOutput/xmlOutput
4. Metadata configuration syntax changed - Closures → Object assignment

⚠️ Behavioral Changes

1. New task structure - Two tasks instead of one
2. Different default output locations
3. Plugin should be applied to root project for aggregation

Step-by-Step Migration Process

1. Update Plugin Version

plugins {
    id("org.cyclonedx.bom") version "3.0.0"
}

2. Update Output Configuration

// OLD
cyclonedxBom {
    destination = file("build/reports")
    outputName = "sbom"
    outputFormat = "json"
}

// NEW
tasks.cyclonedxBom {
    jsonOutput = file("build/reports/sbom.json")
    xmlOutput.unsetConvention()
}

3. Update Schema Version

import org.cyclonedx.model.schema.SchemaVersion

tasks.cyclonedxBom {
    schemaVersion = SchemaVersion.VERSION_16
}

4. Migrate Metadata Configuration

import org.cyclonedx.model.*

tasks.cyclonedxBom {
    // Convert closure-based to object assignment
    organizationalEntity = OrganizationalEntity().apply {
        // configuration
    }
    
    licenseChoice = LicenseChoice().apply {
        // configuration
    }
    
    externalReferences = listOf(
        ExternalReference().apply {
            // configuration
        }
    )
}

5. Update Task Execution

# For per-project SBOMs
./gradlew cyclonedxDirectBom

# For aggregated SBOM (multi-project)
./gradlew cyclonedxBom

6. Verify Output Locations

Check that your SBOM files are generated in the expected locations:

• Direct: build/reports/cyclonedx-direct/
• Aggregated: build/reports/cyclonedx/

Common Migration Issues and Solutions

Issue: "Task configuration not found"

Problem: Using tasks.cyclonedxBom { } syntax
Solution: Use cyclonedxBom { } extension configuration

Issue: "Output files not found"

Problem: Looking in old output location
Solution: Check new default locations or configure explicit paths

Issue: "Schema version error"

Problem:...

3.0.0-alpha-0

What's Changed

• build(deps): bump org.cyclonedx.bom from 2.3.0 to 2.3.1 by @dependabot[bot] in #622
• Update Gradle Wrapper from 8.14 to 8.14.1 by @github-actions[bot] in #621
• build: run one build with multijdk tests by @skhokhlov in #623
• build(deps): bump com.diffplug.spotless from 6.13.0 to 7.0.4 by @dependabot[bot] in #624
• build(deps): bump org.apache.maven:maven-core from 3.9.9 to 3.9.10 by @dependabot[bot] in #628
• build(deps): bump gradle/actions from 4.4.0 to 4.4.1 by @dependabot[bot] in #633
• build(deps): bump com.diffplug.spotless from 7.0.4 to 7.1.0 by @dependabot[bot] in #640
• build(deps): bump org.apache.maven:maven-core from 3.9.10 to 3.9.11 by @dependabot[bot] in #642
• build(deps): bump commons-codec:commons-codec from 1.18.0 to 1.19.0 by @dependabot[bot] in #649
• build(deps): bump com.diffplug.spotless from 7.1.0 to 7.2.1 by @dependabot[bot] in #648
• build(deps): bump commons-io:commons-io from 2.19.0 to 2.20.0 by @dependabot[bot] in #645
• build: enable build cache and configuration cache by @skhokhlov in #651
• build: explicitly set java 8 as a target version and java 21 to run g… by @skhokhlov in #653
• docs: update CONTRIBUTING.md by @skhokhlov in #652
• fix: use provider for component version convention by @sergej-koscejev in #650
• build: Make org.cyclonedx:cyclonedx-core-java an api dependency by @zarebski-m in #656
• build: upgrade to gradle 9 by @skhokhlov in #657
• build(deps): bump gradle/actions from 4.4.1 to 4.4.2 by @dependabot[bot] in #658
• build(deps): bump org.junit.jupiter:junit-jupiter-api from 5.11.4 to 5.13.4 by @dependabot[bot] in #646
• fix: scrub credentials from git url by @MalickBurger in #663
• refactor: use Logging#getLogger for logs by @skhokhlov in #664
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in #662
• refactor: migrate to jspecify annotations by @skhokhlov in #665
• feat: collect sbom per project, add cyclonedxAggregateBom task by @skhokhlov in #661
• build(deps): bump com.uber.nullaway:nullaway from 0.12.8 to 0.12.9 by @dependabot[bot] in #666
• build: prepare version 3.0.0-alpha-0 by @skhokhlov in #668

New Contributors

• @sergej-koscejev made their first contribution in #650
• @zarebski-m made their first contribution in #656
• @MalickBurger made their first contribution in #663

Full Changelog: cyclonedx-gradle-plugin-2.3.1...cyclonedx-gradle-plugin-3.0.0-alpha-0

CycloneDX Gradle Plugin Migration Guide: 2.3.1 → 3.0.0

This guide covers the breaking changes and migration steps required when upgrading from CycloneDX Gradle Plugin version 2.3.1 to 3.0.0.

Prerequisites and System Requirements

New System Requirements in 3.0.0

• Java 17 or newer (previously supported older versions)
• Gradle 9.0 or newer (previously supported Gradle 8.0+)

The plugin might be still compatible with older versions, but it's not tested.

⚠️ Important: If you cannot upgrade to these requirements, continue using version 2.x.x.

Task Behavior and Naming Changes

Version 2.3.1: Single Task Model

# Single task for all scenarios
gradle cyclonedxBom

Version 3.0.0: Dual Task Model

# Generate per-project SBOMs (individual projects)
gradle cyclonedxDirectBom

# Generate aggregated SBOM (multi-project builds)
gradle cyclonedxBom

Task Behavior Changes

Aspect	Version 2.3.1	Version 3.0.0
Per-project SBOMs	Single task handled both	cyclonedxDirectBom task
Multi-project aggregation	Single task handled both	cyclonedxBom task (when plugin applied to root)
Output location	./build/reports/bom.{xml,json}	Direct: build/reports/cyclonedx-direct/bom.{xml,json} Aggregate: build/reports/cyclonedx/bom.{xml,json}
Task types	Single task class	CyclonedxDirectTask and CyclonedxAggregateTask

Configuration Method Changes

❌ Version 2.3.1: Direct Task Configuration

// OLD - No longer supported
tasks.cyclonedxBom {
    setIncludeConfigs(["runtimeClasspath"])
    setDestination(file("build/reports"))
    setOutputName("bom")
    setOutputFormat("json")
}

✅ Version 3.0.0: Extension-Based Configuration

// NEW - Preferred approach
cyclonedxBom {
    includeConfigs = ["runtimeClasspath"]
    jsonOutput = file("build/reports/sbom/bom.json")
    xmlOutput = file("build/reports/sbom/bom.xml")
}

Plugin Application Recommendations

Version 2.3.1: Multiple Application Strategies

// Applied to individual projects OR used init scripts
plugins {
    id 'org.cyclonedx.bom' version '2.3.1'
}

Version 3.0.0: Root Project Application

// ROOT PROJECT build.gradle - RECOMMENDED
plugins {
    id 'org.cyclonedx.bom' version '3.0.0'
}

cyclonedxBom {
    // Configuration applies to both direct and aggregate tasks
}

Benefits of root project application:

• Automatic aggregation across all subprojects
• Centralized configuration
• No need for init scripts in multi-project builds
• Access to both cyclonedxDirectBom and cyclonedxBom tasks

Output Configuration Changes

Version 2.3.1: Combined Output Properties

cyclonedxBom {
    destination = file("build/reports")           // Directory
    outputName = "bom"                           // Base filename
    outputFormat = "json"                        // Format: xml, json, all
}

Version 3.0.0: Explicit File Properties

cyclonedxBom {
    // Explicit file paths for each format
    jsonOutput = file("build/reports/sbom/bom.json")
    xmlOutput = file("build/reports/sbom/bom.xml")
}

// Or disable specific formats
tasks.withType<CyclonedxDirectTask> {
    xmlOutput.unsetConvention()  // Generate JSON only
}

Migration Example

// OLD (2.3.1)
cyclonedxBom {
    destination = file("build/custom")
    outputName = "my-sbom"
    outputFormat = "json"
}

// NEW (3.0.0)
cyclonedxBom {
    jsonOutput = file("build/custom/my-sbom.json")
    // xmlOutput omitted = only JSON generated
}

Schema Version Configuration Changes

Version 2.3.1: String-Based

cyclonedxBom {
    schemaVersion = "1.6"
}

Version 3.0.0: Enum-Based

import org.cyclonedx.model.schema.SchemaVersion

cyclonedxBom {
    schemaVersion = SchemaVersion.VERSION_16
}

Organizational Entity Configuration

Version 2.3.1: Closure-Based Configuration

cyclonedxBom {
    // Closure-based approach
    organizationalEntity { oe ->
        oe.name = 'Test Company'
        oe.url = ['www.test1.com', 'www.test2.com']
        oe.addContact(organizationalContact)
    }
}

Version 3.0.0: Direct Object Assignment

import org.cyclonedx.model.*

cyclonedxBom {
    // Direct object assignment
    organizationalEntity = OrganizationalEntity().apply {
        name = "ACME Corporation"
        urls = listOf("https://www.acme.com", "https://security.acme.com")
        addContact(OrganizationalContact().apply {
            name = "Security Team"
            email = "[email protected]"
            phone = "+1-555-SECURITY"
        })
    }
}

License Choice Configuration

Version 2.3.1: Closure-Based Configuration

cyclonedxBom {
    // Closure-based approach
    licenseChoice { lc ->
        License license = new License()
        license.setName("Apache-2.0")
        license.setUrl("https://www.apache.org/licenses/LICENSE-2.0.txt")
        lc.addLicense(license)
    }
}

Version 3.0.0: Direct Object Assignment

import org.cyclonedx.model.*

cyclonedxBom {
    // Direct object assignment
    licenseChoice = LicenseChoice().apply {
        addLicense(License().apply {
            name = "Apache-2.0"
            url = "https://www.apache.org/licenses/LICENSE-2.0.txt"
        })
    }
}

External References Configuration

Version 2.3.1: VCS Git Configuration

cyclonedxBom {
    // VCS-specific configuration
    setVCSGit ...

2.3.1

Bug Fixes

• Root project must be always connected to subprojects by @skhokhlov in #619

Other Changes

• build(deps): bump org.cyclonedx.bom from 2.2.0 to 2.3.0 by @dependabot in #613
• build(deps): bump gradle/actions from 4.3.1 to 4.4.0 by @dependabot in #617
• build: prepare version 2.3.1 by @skhokhlov in #620

Full Changelog: cyclonedx-gradle-plugin-2.3.0...cyclonedx-gradle-plugin-2.3.1

2.3.0

✨ New Features

• Removed the requirement to explicitly configure project.group and project.version by @skhokhlov in #611

📦 Dependency Updates

• Gradle Wrapper Update: Upgraded from 8.13 to 8.14 by@dependabot in #594
• CycloneDX Core Java: Updated org.cyclonedx:cyclonedx-core-java from 10.1.0 to 10.2.1. By @dependabot in #598
• Commons IO: Bumped commons-io:commons-io from 2.18.0 to 2.19.0. By @dependabot in #608
• Gradle Actions: Upgraded gradle/actions from 4.3.0 to 4.3.1. By @dependabot in #603
• Setup Java Action: Updated actions/setup-java from 4.7.0 to 4.7.1. By @dependabot in #606
• Upload Artifact Action: Bumped actions/upload-artifact from 4.6.1 to 4.6.2. By @dependabot in #601
• CycloneDX BOM: Upgraded org.cyclonedx.bom from 2.1.0 to 2.2.0. By @dependabot in #591

📜 Full Changelog

• build(deps): bump org.cyclonedx.bom from 2.1.0 to 2.2.0 by @dependabot in #591
• build(deps): bump gradle-update/update-gradle-wrapper-action from 2.0.1 to 2.1.0 by @dependabot in #594
• build(deps): bump org.cyclonedx:cyclonedx-core-java from 10.1.0 to 10.2.1 by @dependabot in #598
• build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2 by @dependabot in #601
• build(deps): bump gradle/actions from 4.3.0 to 4.3.1 by @dependabot in #603
• build(deps): bump commons-io:commons-io from 2.18.0 to 2.19.0 by @dependabot in #608
• build(deps): bump actions/setup-java from 4.7.0 to 4.7.1 by @dependabot in #606
• Update Gradle Wrapper from 8.13 to 8.14 by @github-actions in #610
• feat: remove requirement to have project group and version configured by @skhokhlov in #611
• build: prepare version 2.3.0 by @skhokhlov in #612

cyclonedx-gradle-plugin-2.2.0...cyclonedx-gradle-plugin-2.3.0

2.2.0

✨ New Features

• Project Path Qualifier for PURLs: Added a project path qualifier to project Package URLs for enhanced identification and clarity. By @skhokhlov in #584

📦 Dependency Updates

• Gradle Wrapper Update: Upgraded from 8.12.1 to 8.13 to keep up with the latest Gradle improvements and bug fixes. By @github-actions in #588
• CycloneDX BOM Upgrade: Updated org.cyclonedx.bom from 2.0.0 to 2.1.0 for improved functionality and support. By @dependabot in #583
• Upload Artifact Action: Bumped actions/upload-artifact from 4.6.0 to 4.6.1 to maintain compatibility and stability in CI workflows. By @dependabot in #587

📜 Full Changelog

• build(deps): bump org.cyclonedx.bom from 2.0.0 to 2.1.0 by @dependabot in #583
• build(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1 by @dependabot in #587
• feat: add project path qualifier to project purls by @skhokhlov in #584
• Update Gradle Wrapper from 8.12.1 to 8.13 by @github-actions in #588
• build: prepare release version 2.2.0 by @skhokhlov in #590

cyclonedx-gradle-plugin-2.1.0...cyclonedx-gradle-plugin-2.2.0