Mono-Repo with different types not scanned correctly

[pschichtel]

I have tested two projects layouts:

1. projects in separate folders like this:

   • backend/build.gradle.kts
   • frontend/package.json

2. projects nested within eachother like this:

   • build.gradle.kts
   • frontend/package.json

Both the documentation as well as the ChatGPT assistant suggest, that a command as simple as cdxgen . should automatically find all projects and generate a combined SBOM for them.

The command does seem to find the projects in both cases, at least the log contains things related to npm and gradle, however:

In case (1) the resulting bom.json contains components for all dependencies of both projects, however when importing the bom into a dependency-track project only one of the projects is part of the dependency tree.
In case (2) the resulting bom.json only contained components for one of the projects, the root project.

[prabhu]

Can you share a sample repo to reproduce the issue? You must be facing two limitations:

1. There must be a build.gradle in the root, since there is some hardcoded path in a few places.
2. Automatic installation for npm (when there are no lock files) is limited to just one I think.

A range of samples will help improve this feature significantly.

[pschichtel]

I can provide example projects next week

[pschichtel]

https://github.com/pschichtel/cdxgen-reproducer

the repo contains 2 projects, each once in the nested structure and in the side-by-side structure as described above.

when importing the either bom into dependency-track it shows the dependency tree only with the npm project, but the components still include e.g. ktor from the gradle project.

[pschichtel]

For reference screenshots of the side-by-side project version in our dependency track installation (the nested version is identical):

[prabhu]

Thank you for the samples. This exactly hits two different limitations in gradle and npm. Fixing this is a non-trivial task, especially testing since every single line of change could break something somewhere for someone. Will you be interested in contributing a PR working with us? Or we can keep this open and see if anyone is willing to sponsor.

[pschichtel]

I personally would be willing to give it a shot, however this would definitely need some initial pointers since I have absolutely no clue on where exactly these limits are and where to start. I'd also have to check with my company if time can be allocated to this, especially since workarounds exists (e.g. scanning each project individually and merging the boms)