Execution failed for task ':cyclonedxBom'.

[zmto]

Hello,
Sorry if it's a stupid issue. I am new to this and I am trying to use cyclonedx to build a sbom for my android app, but I can't get it working.

The following example is with the no activity template from android studio.

Gradle. version:

% gradle -v

------------------------------------------------------------
Gradle 7.5.1
------------------------------------------------------------

Build time:   2022-08-05 21:17:56 UTC
Revision:     d1daa0cbf1a0103000b71484e1dbfe096e095918

Kotlin:       1.6.21
Groovy:       3.0.10
Ant:          Apache Ant(TM) version 1.10.11 compiled on July 10 2021
JVM:          17.0.5 (Homebrew 17.0.5+0)
OS:           Mac OS X 12.6.2 aarch64

Trying to run cyclonedx

% gradle cyclonedx

> Task :cyclonedxBom FAILED
An unexpected issue occurred attempting to create a PackageURL for :My Application:unspecified
An unexpected issue occurred attempting to create a PackageURL for :My Application:unspecified
An unexpected issue occurred attempting to create a PackageURL for :My Application:unspecified

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':cyclonedxBom'.
> The consumer was configured to find a runtime of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'release', attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.3.1', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm'. However we cannot choose between the following variants of project :app:
    - Configuration ':app:releaseRuntimeElements' variant android-base-module-lint-variant-dependencies-model declares a runtime of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.3.1', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'release', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'android-base-module-lint-variant-dependencies-model' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'release' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it
    - Configuration ':app:releaseRuntimeElements' variant android-java-res declares a runtime of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.3.1', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'release', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'android-java-res' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'release' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it
    - Configuration ':app:releaseRuntimeElements' variant android-lint-variant-dependencies-model declares a runtime of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.3.1', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'release', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'android-lint-variant-dependencies-model' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'release' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it
    - Configuration ':app:releaseRuntimeElements' variant android-navigation-json declares a runtime of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.3.1', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'release', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'android-navigation-json' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'release' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it
    - Configuration ':app:releaseRuntimeElements' variant android-packaged-dependencies declares a runtime of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.3.1', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'release', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'android-packaged-dependencies' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'release' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it
    - Configuration ':app:releaseRuntimeElements' variant apk declares a runtime of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.3.1', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'release', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'apk' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'release' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it
    - Configuration ':app:releaseRuntimeElements' variant bundle-apks declares a runtime of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.3.1', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'release', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'bundle-apks' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'release' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.

* Get more help at https://help.gradle.org

Deprecated Gradle features were used in this build, making it incompatible with Gradle 8.0.

You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.

See https://docs.gradle.org/7.5.1/userguide/command_line_interface.html#sec:command_line_warnings

BUILD FAILED in 1s
1 actionable task: 1 executed

My build.gradle looks like this:

plugins {
    id 'com.android.application' version '7.3.1' apply false
    id 'com.android.library' version '7.3.1' apply false
    id 'org.jetbrains.kotlin.android' version '1.7.20' apply false
    id 'org.cyclonedx.bom' version '1.7.2'

}

I tried to add this but it didn't do the trick...

project(':app') {
        apply plugin: 'org.cyclonedx.bom'
        cyclonedxBom {
            //includeConfigs = ["compileClasspath"]

            // skipConfigs is a list of configuration names to exclude when generating the BOM
            //skipConfigs = ["debugApiElements","releaseApiElements","releaseRuntimeElements"]
            skipConfigs = [
            "debugApiElements",
            "releaseApiElements",
            "debugRuntimeElements",
            "releaseRuntimeElements"
            ]

        }


}

Any idea how to solve this?

[chetan-ansel]

Add this line build.gradle
cyclonedxBom {
skipConfigs = [
"debugCompileClasspath",
"debugAndroidTestCompileClasspath",
"debugUnitTestCompileClasspath",
"releaseUnitTestCompileClasspath",
"debugUnitTestRuntimeClasspath",
"releaseUnitTestRuntimeClasspath"
]
}

[zmto]

Add this line build.gradle cyclonedxBom { skipConfigs = [ "debugCompileClasspath", "debugAndroidTestCompileClasspath", "debugUnitTestCompileClasspath", "releaseUnitTestCompileClasspath", "debugUnitTestRuntimeClasspath", "releaseUnitTestRuntimeClasspath" ] }

Similar error with your addition:

marckto@M412K93C97 test1 % gradle cyclonedx
Starting a Gradle Daemon (subsequent builds will be faster)

> Task :cyclonedxBom
An unexpected issue occurred attempting to create a PackageURL for :My Application:unspecified
An unexpected issue occurred attempting to create a PackageURL for :My Application:unspecified
An unexpected issue occurred attempting to create a PackageURL for :My Application:unspecified
An unexpected issue occurred attempting to create a PackageURL for :My Application:unspecified

> Task :cyclonedxBom FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':cyclonedxBom'.
> The consumer was configured to find an API of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'debug', attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.3.1', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm'. However we cannot choose between the following variants of project :app:
    - Configuration ':app:debugApiElements' variant android-base-module-metadata declares an API of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.3.1', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'debug', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'android-base-module-metadata' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'debug' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it
    - Configuration ':app:debugApiElements' variant android-feature-all-metadata declares an API of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.3.1', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'debug', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'android-feature-all-metadata' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'debug' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it
    - Configuration ':app:debugApiElements' variant android-feature-res-ap_ declares an API of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.3.1', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'debug', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'android-feature-res-ap_' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'debug' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it
    - Configuration ':app:debugApiElements' variant android-feature-signing-config-data declares an API of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.3.1', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'debug', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'android-feature-signing-config-data' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'debug' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it
    - Configuration ':app:debugApiElements' variant android-feature-signing-config-versions declares an API of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.3.1', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'debug', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'android-feature-signing-config-versions' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'debug' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it
    - Configuration ':app:debugApiElements' variant android-java-res declares an API of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.3.1', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'debug', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'android-java-res' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'debug' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it
    - Configuration ':app:debugApiElements' variant android-manifest-metadata declares an API of a component, preferably optimized for Android, as well as attribute 'com.android.build.api.attributes.AgpVersionAttr' with value '7.3.1', attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'debug', attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
        - Unmatched attributes:
            - Provides attribute 'artifactType' with value 'android-manifest-metadata' but the consumer didn't ask for it
            - Provides attribute 'com.android.build.gradle.internal.attributes.VariantAttr' with value 'debug' but the consumer didn't ask for it
            - Provides a library but the consumer didn't ask for it

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 7s
1 actionable task: 1 executed

build.gradle content:

// Top-level build file where you can add configuration options common to all sub-projects/modules.
plugins {
    id 'com.android.application' version '7.3.1' apply false
    id 'com.android.library' version '7.3.1' apply false
    id 'org.jetbrains.kotlin.android' version '1.7.20' apply false
    id 'org.cyclonedx.bom' version '1.7.2'

}

project(':app') {
        apply plugin: 'org.cyclonedx.bom'
        cyclonedxBom {
            //includeConfigs = ["compileClasspath"]

            // skipConfigs is a list of configuration names to exclude when generating the BOM
            //skipConfigs = ["debugApiElements","releaseApiElements","releaseRuntimeElements"]
            skipConfigs = [
                "debugCompileClasspath",
                "debugAndroidTestCompileClasspath",
                "debugUnitTestCompileClasspath",
                "releaseUnitTestCompileClasspath",
                "debugUnitTestRuntimeClasspath",
                "releaseUnitTestRuntimeClasspath"
            ]

        }


}

I also tried with:

// Top-level build file where you can add configuration options common to all sub-projects/modules.
plugins {
    id 'com.android.application' version '7.3.1' apply false
    id 'com.android.library' version '7.3.1' apply false
    id 'org.jetbrains.kotlin.android' version '1.7.20' apply false
    id 'org.cyclonedx.bom' version '1.7.2'

}

project(':app') {
        apply plugin: 'org.cyclonedx.bom'
        cyclonedxBom {
            //includeConfigs = ["compileClasspath"]

            // skipConfigs is a list of configuration names to exclude when generating the BOM
            //skipConfigs = ["debugApiElements","releaseApiElements","releaseRuntimeElements"]
            skipConfigs = [
            "debugCompileClasspath",
            "debugAndroidTestCompileClasspath",
            "debugUnitTestCompileClasspath",
            "releaseUnitTestCompileClasspath",
            "debugUnitTestRuntimeClasspath",
            "releaseUnitTestRuntimeClasspath",
            "debugApiElements",
            "releaseApiElements",
            "debugRuntimeElements",
            "releaseRuntimeElements"            ]
        }


}

[canatella]

Had the same problem and went on to debug the issue:

Caused by: java.lang.RuntimeException: com.github.packageurl.MalformedPackageURLException: The PackageURL specified is invalid. Maven requires both a namespace and name.
        at org.cyclonedx.gradle.CycloneDxTask.generatePackageUrl(CycloneDxTask.java:549)
        at org.cyclonedx.gradle.CycloneDxTask.generatePackageUrl(CycloneDxTask.java:538)

Make sure to define a group for all your projects/sub-projects and also version :
https://docs.gradle.org/current/dsl/org.gradle.api.Project.html#org.gradle.api.Project%3agroup

[glefloch]

Thanks for reporting this. Do you have a sample project reproducer ? When building SBOM, we try to resolve all dependencies from all configurations, here it looks like dependencies coming from some configurations cannot be resolved due to their Gradle variant. We may need to add some specific code to revolve the dependency with the correct variant.

[canatella]

Sorry, it looks I'm not clear: the problem is solved when adding a group definition for the project and subprojects.

[glefloch]

@zmto is that ok for you too ?

[libertywork-agb]

I also got this error in a multi-project project. I added this plugin (version 1.7.3) to the build.gradle of one of the subprojects. It worked fine when outputFormat was set to json, but when it was set to either xml or all, I saw this error.

I tried adding all of my configs to skipConfigs, but still saw the same error. I also tried adding a group definition to the subproject with no change.

I then tried moving the plugin declaration to the root project build.gradle and applied it to only the one subproject:

plugins {
    id 'org.cyclonedx.bom' version '1.7.3' apply false
}

project(':subproject') {
    apply plugin: 'org.cyclonedx.bom'
}

This fixed the error, and I was able to generate a BOM in XML format.

[zmto]

Sorry if I misunderstand. I am neither using a group or multi-project.
Do I have to?

[glefloch]

Not at all, as @canatella said, the issue can be fix by adding the group property in your build.gradle file. Could you try ?

[libertywork-agb]

Apologies for the confusion. I realized that my error was actually different from the error in this issue. I submitted a new issue here.

[petroniuchacz]

I also have this problem. I tried to define group and version:

subprojects {
    group("pl.sygnity")
    version("1.0.28+28")
    project.buildDir = "${rootProject.buildDir}/${project.name}"
    project.evaluationDependsOn(':app')
}

project(':app') {
    group("pl.sygnity")
    version("1.0.28+28")
    apply plugin: 'org.cyclonedx.bom'
    cyclonedxBom {
        //includeConfigs = ["compileClasspath"]

        // skipConfigs is a list of configuration names to exclude when generating the BOM
        //skipConfigs = ["debugApiElements","releaseApiElements","releaseRuntimeElements"]
        skipConfigs = [
                "debugCompileClasspath",
                "debugAndroidTestCompileClasspath",
                "debugUnitTestCompileClasspath",
                "releaseUnitTestCompileClasspath",
                "debugUnitTestRuntimeClasspath",
                "releaseUnitTestRuntimeClasspath",
                "debugApiElements",
                "releaseApiElements",
                "debugRuntimeElements",
                "releaseRuntimeElements"            ]
    }
}

[mrexodia]

If any of the devs are looking for an open source project that reproduces this issue, we just tried to integrate CycloneDX into the Android Wikipedia app.

Here is the diff to get things working:

https://github.com/wikimedia/apps-android-wikipedia/compare/main...mrexodia:apps-android-wikipedia:cyclonedx-sbom?expand=1#diff-49a96e7eea8a94af862798a45174e6ac43eb4f8b4bd40759b5da63ba31ec3ef7R18

Most likely these skipConfigs should be discovered automatically for Android apps.

[skhokhlov]

Most likely these skipConfigs should be discovered automatically for Android apps.

I'm sure it's one of the most wanted features for this project. Feel free to contribute it!

[skhokhlov]

Main issue: #478

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.