3.0.0-alpha-1

What's Changed

• test: run tests with java 8 and 11 by @skhokhlov in #672
• build(deps): bump actions/setup-java from 4.7.1 to 5.0.0 by @dependabot[bot] in #671
• Skip repositories without url in distributionManagement by @xvik in #673
• refactor: use Gradle's JavaVersion class by @skhokhlov in #674
• Stop adding self references and dependency constraints as direct dependencies by @tjog in #670
• Remove extenstion by @skhokhlov in #675
• build: prepare version 3.0.0-alpha-1 by @skhokhlov in #676

New Contributors

• @xvik made their first contribution in #673
• @tjog made their first contribution in #670

Full Changelog: cyclonedx-gradle-plugin-3.0.0-alpha-0...cyclonedx-gradle-plugin-3.0.0-alpha-1

CycloneDX Gradle Plugin Migration Guide: 2.3.1 → 3.0.0-alpha-1

This guide covers the breaking changes and migration steps required when upgrading from CycloneDX Gradle Plugin version 2.3.1 to 3.0.0-alpha-1.

Important

There are breaking changes since 3.0.0-alpha-0. This guide does not cover it.

Task Behavior and Naming Changes

Version 2.3.1: Single Task Model

# Single task for all scenarios
gradle cyclonedxBom

Version 3.0.0: Dual Task Model

# Generate per-project SBOMs (individual projects)
gradle cyclonedxDirectBom

# Generate aggregated SBOM (multi-project builds)
gradle cyclonedxBom

Task Behavior Changes

Aspect	Version 2.3.1	Version 3.0.0
Per-project SBOMs	Single task handled both	cyclonedxDirectBom task
Multi-project aggregation	Single task handled both	cyclonedxBom task (when plugin applied to root)
Output location	./build/reports/bom.{xml,json}	Direct: build/reports/cyclonedx-direct/bom.{xml,json} Aggregate: build/reports/cyclonedx/bom.{xml,json}
Task types	Single task class	CyclonedxDirectTask and CyclonedxAggregateTask

Configuration Method Changes

❌ Version 2.3.1: Single task configuration

// OLD - No longer supported
tasks.cyclonedxBom {
    setIncludeConfigs(["runtimeClasspath"])
    setDestination(file("build/reports"))
    setOutputName("bom")
    setOutputFormat("json")
}

✅ Version 3.0.0: Project-scoped task configuration

// NEW
tasks.cyclonedxDirectBom {
    includeConfigs = ["runtimeClasspath"]
    jsonOutput = file("build/reports/sbom/bom.json")
    xmlOutput = file("build/reports/sbom/bom.xml")
}
tasks.cyclonedxBom {
    jsonOutput = file("build/reports/sbom/bom.json")
    xmlOutput = file("build/reports/sbom/bom.xml")
}

Plugin Application Recommendations

Version 2.3.1: Multiple Application Strategies

// Applied to individual projects OR used init scripts
plugins {
    id 'org.cyclonedx.bom' version '2.3.1'
}

Version 3.0.0: Root Project Application

// ROOT PROJECT build.gradle - RECOMMENDED
plugins {
    id 'org.cyclonedx.bom' version '3.0.0'
}

cyclonedxBom {
    // Configuration applies to both direct and aggregate tasks
}

Output Configuration Changes

Version 2.3.1: Combined Output Properties

cyclonedxBom {
    destination = file("build/reports")           // Directory
    outputName = "bom"                           // Base filename
    outputFormat = "json"                        // Format: xml, json, all
}

Version 3.0.0: Explicit File Properties

tasks.cyclonedxBom {
    // Explicit file paths for each format
    jsonOutput = file("build/reports/sbom/bom.json")
    xmlOutput = file("build/reports/sbom/bom.xml")
}

// Or disable specific formats
tasks.withType<CyclonedxDirectTask> {
    xmlOutput.unsetConvention()  // Generate JSON only
}

Migration Example

// OLD (2.3.1)
cyclonedxBom {
    destination = file("build/custom")
    outputName = "my-sbom"
    outputFormat = "json"
}

// NEW (3.0.0)
tasks.cyclonedxBom {
    jsonOutput = file("build/custom/my-sbom.json")
    // xmlOutput omitted = only JSON generated
}

Schema Version Configuration Changes

Version 2.3.1: String-Based

cyclonedxBom {
    schemaVersion = "1.6"
}

Version 3.0.0: Enum-Based

import org.cyclonedx.model.schema.SchemaVersion

tasks.cyclonedxBom {
    schemaVersion = SchemaVersion.VERSION_16
}
tasks.cyclonedxDirectBom {
    schemaVersion = SchemaVersion.VERSION_16
}

Organizational Entity Configuration

Version 2.3.1: Closure-Based Configuration

cyclonedxBom {
    // Closure-based approach
    organizationalEntity { oe ->
        oe.name = 'Test Company'
        oe.url = ['www.test1.com', 'www.test2.com']
        oe.addContact(organizationalContact)
    }
}

Version 3.0.0: Direct Object Assignment

import org.cyclonedx.model.*

tasks.cyclonedxBom {
    // Direct object assignment
    organizationalEntity = OrganizationalEntity().apply {
        name = "ACME Corporation"
        urls = listOf("https://www.acme.com", "https://security.acme.com")
        addContact(OrganizationalContact().apply {
            name = "Security Team"
            email = "[email protected]"
            phone = "+1-555-SECURITY"
        })
    }
}

License Choice Configuration

Version 2.3.1: Closure-Based Configuration

cyclonedxBom {
    // Closure-based approach
    licenseChoice { lc ->
        License license = new License()
        license.setName("Apache-2.0")
        license.setUrl("https://www.apache.org/licenses/LICENSE-2.0.txt")
        lc.addLicense(license)
    }
}

Version 3.0.0: Direct Object Assignment

import org.cyclonedx.model.*

tasks.cyclonedxBom {
    // Direct object assignment
    licenseChoice = LicenseChoice().apply {
        addLicense(License().apply {
            name = "Apache-2.0"
            url = "https://www.apache.org/licenses/LICENSE-2.0.txt"
        })
    }
}

External References Configuration

Version 2.3.1: VCS Git Configuration

cyclonedxBom {
    // VCS-specific configuration
    setVCSGit { vcs ->
        vcs.url = "https://github.com/example/repo.git"
        vcs.comment = "Source repository"
    }
}

Version 3.0.0: Generic External References

import org.cyclonedx.model.*

tasks.cyclonedxBom {
    // Generic external references
    externalReferences = listOf(
        ExternalReference().apply {
            url = "https://github.com/example/repo.git"
            type = ExternalReference.Type.VCS
        },
        ExternalReference().apply {
            url = "https://example.com/docs"
            type = ExternalReference.Type.DOCUMENTATION
        }
    )
}

Multi-Project Setup Changes

# Generate per-project SBOMs for all projects
./gradlew cyclonedxDirectBom

# Generate single aggregated SBOM
./gradlew cyclonedxBom

Breaking Changes Summary

🚨 Critical Breaking Changes

2. Task configuration syntax changes
3. Output property names changed - destination/outputName/outputFormat → jsonOutput/xmlOutput
4. Metadata configuration syntax changed - Closures → Object assignment

⚠️ Behavioral Changes

1. New task structure - Two tasks instead of one
2. Different default output locations
3. Plugin should be applied to root project for aggregation

Step-by-Step Migration Process

1. Update Plugin Version

plugins {
    id("org.cyclonedx.bom") version "3.0.0"
}

2. Update Output Configuration

// OLD
cyclonedxBom {
    destination = file("build/reports")
    outputName = "sbom"
    outputFormat = "json"
}

// NEW
tasks.cyclonedxBom {
    jsonOutput = file("build/reports/sbom.json")
    xmlOutput.unsetConvention()
}

3. Update Schema Version

import org.cyclonedx.model.schema.SchemaVersion

tasks.cyclonedxBom {
    schemaVersion = SchemaVersion.VERSION_16
}

4. Migrate Metadata Configuration

import org.cyclonedx.model.*

tasks.cyclonedxBom {
    // Convert closure-based to object assignment
    organizationalEntity = OrganizationalEntity().apply {
        // configuration
    }
    
    licenseChoice = LicenseChoice().apply {
        // configuration
    }
    
    externalReferences = listOf(
        ExternalReference().apply {
            // configuration
        }
    )
}

5. Update Task Execution

# For per-project SBOMs
./gradlew cyclonedxDirectBom

# For aggregated SBOM (multi-project)
./gradlew cyclonedxBom

6. Verify Output Locations

Check that your SBOM files are generated in the expected locations:

• Direct: build/reports/cyclonedx-direct/
• Aggregated: build/reports/cyclonedx/

Common Migration Issues and Solutions

Issue: "Task configuration not found"

Problem: Using tasks.cyclonedxBom { } syntax
Solution: Use cyclonedxBom { } extension configuration

Issue: "Output files not found"

Problem: Looking in old output location
Solution: Check new default locations or configure explicit paths

Issue: "Schema version error"

Problem:...

3.0.0-alpha-0

What's Changed

• build(deps): bump org.cyclonedx.bom from 2.3.0 to 2.3.1 by @dependabot[bot] in #622
• Update Gradle Wrapper from 8.14 to 8.14.1 by @github-actions[bot] in #621
• build: run one build with multijdk tests by @skhokhlov in #623
• build(deps): bump com.diffplug.spotless from 6.13.0 to 7.0.4 by @dependabot[bot] in #624
• build(deps): bump org.apache.maven:maven-core from 3.9.9 to 3.9.10 by @dependabot[bot] in #628
• build(deps): bump gradle/actions from 4.4.0 to 4.4.1 by @dependabot[bot] in #633
• build(deps): bump com.diffplug.spotless from 7.0.4 to 7.1.0 by @dependabot[bot] in #640
• build(deps): bump org.apache.maven:maven-core from 3.9.10 to 3.9.11 by @dependabot[bot] in #642
• build(deps): bump commons-codec:commons-codec from 1.18.0 to 1.19.0 by @dependabot[bot] in #649
• build(deps): bump com.diffplug.spotless from 7.1.0 to 7.2.1 by @dependabot[bot] in #648
• build(deps): bump commons-io:commons-io from 2.19.0 to 2.20.0 by @dependabot[bot] in #645
• build: enable build cache and configuration cache by @skhokhlov in #651
• build: explicitly set java 8 as a target version and java 21 to run g… by @skhokhlov in #653
• docs: update CONTRIBUTING.md by @skhokhlov in #652
• fix: use provider for component version convention by @sergej-koscejev in #650
• build: Make org.cyclonedx:cyclonedx-core-java an api dependency by @zarebski-m in #656
• build: upgrade to gradle 9 by @skhokhlov in #657
• build(deps): bump gradle/actions from 4.4.1 to 4.4.2 by @dependabot[bot] in #658
• build(deps): bump org.junit.jupiter:junit-jupiter-api from 5.11.4 to 5.13.4 by @dependabot[bot] in #646
• fix: scrub credentials from git url by @MalickBurger in #663
• refactor: use Logging#getLogger for logs by @skhokhlov in #664
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in #662
• refactor: migrate to jspecify annotations by @skhokhlov in #665
• feat: collect sbom per project, add cyclonedxAggregateBom task by @skhokhlov in #661
• build(deps): bump com.uber.nullaway:nullaway from 0.12.8 to 0.12.9 by @dependabot[bot] in #666
• build: prepare version 3.0.0-alpha-0 by @skhokhlov in #668

New Contributors

• @sergej-koscejev made their first contribution in #650
• @zarebski-m made their first contribution in #656
• @MalickBurger made their first contribution in #663

Full Changelog: cyclonedx-gradle-plugin-2.3.1...cyclonedx-gradle-plugin-3.0.0-alpha-0

CycloneDX Gradle Plugin Migration Guide: 2.3.1 → 3.0.0

This guide covers the breaking changes and migration steps required when upgrading from CycloneDX Gradle Plugin version 2.3.1 to 3.0.0.

Prerequisites and System Requirements

New System Requirements in 3.0.0

• Java 17 or newer (previously supported older versions)
• Gradle 9.0 or newer (previously supported Gradle 8.0+)

The plugin might be still compatible with older versions, but it's not tested.

⚠️ Important: If you cannot upgrade to these requirements, continue using version 2.x.x.

Task Behavior and Naming Changes

Version 2.3.1: Single Task Model

# Single task for all scenarios
gradle cyclonedxBom

Version 3.0.0: Dual Task Model

# Generate per-project SBOMs (individual projects)
gradle cyclonedxDirectBom

# Generate aggregated SBOM (multi-project builds)
gradle cyclonedxBom

Task Behavior Changes

Aspect	Version 2.3.1	Version 3.0.0
Per-project SBOMs	Single task handled both	cyclonedxDirectBom task
Multi-project aggregation	Single task handled both	cyclonedxBom task (when plugin applied to root)
Output location	./build/reports/bom.{xml,json}	Direct: build/reports/cyclonedx-direct/bom.{xml,json} Aggregate: build/reports/cyclonedx/bom.{xml,json}
Task types	Single task class	CyclonedxDirectTask and CyclonedxAggregateTask

Configuration Method Changes

❌ Version 2.3.1: Direct Task Configuration

// OLD - No longer supported
tasks.cyclonedxBom {
    setIncludeConfigs(["runtimeClasspath"])
    setDestination(file("build/reports"))
    setOutputName("bom")
    setOutputFormat("json")
}

✅ Version 3.0.0: Extension-Based Configuration

// NEW - Preferred approach
cyclonedxBom {
    includeConfigs = ["runtimeClasspath"]
    jsonOutput = file("build/reports/sbom/bom.json")
    xmlOutput = file("build/reports/sbom/bom.xml")
}

Plugin Application Recommendations

Version 2.3.1: Multiple Application Strategies

// Applied to individual projects OR used init scripts
plugins {
    id 'org.cyclonedx.bom' version '2.3.1'
}

Version 3.0.0: Root Project Application

// ROOT PROJECT build.gradle - RECOMMENDED
plugins {
    id 'org.cyclonedx.bom' version '3.0.0'
}

cyclonedxBom {
    // Configuration applies to both direct and aggregate tasks
}

Benefits of root project application:

• Automatic aggregation across all subprojects
• Centralized configuration
• No need for init scripts in multi-project builds
• Access to both cyclonedxDirectBom and cyclonedxBom tasks

Output Configuration Changes

Version 2.3.1: Combined Output Properties

cyclonedxBom {
    destination = file("build/reports")           // Directory
    outputName = "bom"                           // Base filename
    outputFormat = "json"                        // Format: xml, json, all
}

Version 3.0.0: Explicit File Properties

cyclonedxBom {
    // Explicit file paths for each format
    jsonOutput = file("build/reports/sbom/bom.json")
    xmlOutput = file("build/reports/sbom/bom.xml")
}

// Or disable specific formats
tasks.withType<CyclonedxDirectTask> {
    xmlOutput.unsetConvention()  // Generate JSON only
}

Migration Example

// OLD (2.3.1)
cyclonedxBom {
    destination = file("build/custom")
    outputName = "my-sbom"
    outputFormat = "json"
}

// NEW (3.0.0)
cyclonedxBom {
    jsonOutput = file("build/custom/my-sbom.json")
    // xmlOutput omitted = only JSON generated
}

Schema Version Configuration Changes

Version 2.3.1: String-Based

cyclonedxBom {
    schemaVersion = "1.6"
}

Version 3.0.0: Enum-Based

import org.cyclonedx.model.schema.SchemaVersion

cyclonedxBom {
    schemaVersion = SchemaVersion.VERSION_16
}

Organizational Entity Configuration

Version 2.3.1: Closure-Based Configuration

cyclonedxBom {
    // Closure-based approach
    organizationalEntity { oe ->
        oe.name = 'Test Company'
        oe.url = ['www.test1.com', 'www.test2.com']
        oe.addContact(organizationalContact)
    }
}

Version 3.0.0: Direct Object Assignment

import org.cyclonedx.model.*

cyclonedxBom {
    // Direct object assignment
    organizationalEntity = OrganizationalEntity().apply {
        name = "ACME Corporation"
        urls = listOf("https://www.acme.com", "https://security.acme.com")
        addContact(OrganizationalContact().apply {
            name = "Security Team"
            email = "[email protected]"
            phone = "+1-555-SECURITY"
        })
    }
}

License Choice Configuration

Version 2.3.1: Closure-Based Configuration

cyclonedxBom {
    // Closure-based approach
    licenseChoice { lc ->
        License license = new License()
        license.setName("Apache-2.0")
        license.setUrl("https://www.apache.org/licenses/LICENSE-2.0.txt")
        lc.addLicense(license)
    }
}

Version 3.0.0: Direct Object Assignment

import org.cyclonedx.model.*

cyclonedxBom {
    // Direct object assignment
    licenseChoice = LicenseChoice().apply {
        addLicense(License().apply {
            name = "Apache-2.0"
            url = "https://www.apache.org/licenses/LICENSE-2.0.txt"
        })
    }
}

External References Configuration

Version 2.3.1: VCS Git Configuration

cyclonedxBom {
    // VCS-specific configuration
    setVCSGit ...

2.3.1

Bug Fixes

• Root project must be always connected to subprojects by @skhokhlov in #619

Other Changes

• build(deps): bump org.cyclonedx.bom from 2.2.0 to 2.3.0 by @dependabot in #613
• build(deps): bump gradle/actions from 4.3.1 to 4.4.0 by @dependabot in #617
• build: prepare version 2.3.1 by @skhokhlov in #620

Full Changelog: cyclonedx-gradle-plugin-2.3.0...cyclonedx-gradle-plugin-2.3.1

2.3.0

✨ New Features

• Removed the requirement to explicitly configure project.group and project.version by @skhokhlov in #611

📦 Dependency Updates

• Gradle Wrapper Update: Upgraded from 8.13 to 8.14 by@dependabot in #594
• CycloneDX Core Java: Updated org.cyclonedx:cyclonedx-core-java from 10.1.0 to 10.2.1. By @dependabot in #598
• Commons IO: Bumped commons-io:commons-io from 2.18.0 to 2.19.0. By @dependabot in #608
• Gradle Actions: Upgraded gradle/actions from 4.3.0 to 4.3.1. By @dependabot in #603
• Setup Java Action: Updated actions/setup-java from 4.7.0 to 4.7.1. By @dependabot in #606
• Upload Artifact Action: Bumped actions/upload-artifact from 4.6.1 to 4.6.2. By @dependabot in #601
• CycloneDX BOM: Upgraded org.cyclonedx.bom from 2.1.0 to 2.2.0. By @dependabot in #591

📜 Full Changelog

• build(deps): bump org.cyclonedx.bom from 2.1.0 to 2.2.0 by @dependabot in #591
• build(deps): bump gradle-update/update-gradle-wrapper-action from 2.0.1 to 2.1.0 by @dependabot in #594
• build(deps): bump org.cyclonedx:cyclonedx-core-java from 10.1.0 to 10.2.1 by @dependabot in #598
• build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2 by @dependabot in #601
• build(deps): bump gradle/actions from 4.3.0 to 4.3.1 by @dependabot in #603
• build(deps): bump commons-io:commons-io from 2.18.0 to 2.19.0 by @dependabot in #608
• build(deps): bump actions/setup-java from 4.7.0 to 4.7.1 by @dependabot in #606
• Update Gradle Wrapper from 8.13 to 8.14 by @github-actions in #610
• feat: remove requirement to have project group and version configured by @skhokhlov in #611
• build: prepare version 2.3.0 by @skhokhlov in #612

cyclonedx-gradle-plugin-2.2.0...cyclonedx-gradle-plugin-2.3.0

2.2.0

✨ New Features

• Project Path Qualifier for PURLs: Added a project path qualifier to project Package URLs for enhanced identification and clarity. By @skhokhlov in #584

📦 Dependency Updates

• Gradle Wrapper Update: Upgraded from 8.12.1 to 8.13 to keep up with the latest Gradle improvements and bug fixes. By @github-actions in #588
• CycloneDX BOM Upgrade: Updated org.cyclonedx.bom from 2.0.0 to 2.1.0 for improved functionality and support. By @dependabot in #583
• Upload Artifact Action: Bumped actions/upload-artifact from 4.6.0 to 4.6.1 to maintain compatibility and stability in CI workflows. By @dependabot in #587

📜 Full Changelog

• build(deps): bump org.cyclonedx.bom from 2.0.0 to 2.1.0 by @dependabot in #583
• build(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1 by @dependabot in #587
• feat: add project path qualifier to project purls by @skhokhlov in #584
• Update Gradle Wrapper from 8.12.1 to 8.13 by @github-actions in #588
• build: prepare release version 2.2.0 by @skhokhlov in #590

cyclonedx-gradle-plugin-2.1.0...cyclonedx-gradle-plugin-2.2.0

2.1.0

🛠️ Fixes & Improvements

• CycloneDX BOM Schema: Migration from #metadata_manufacture to #metadata_manufacturer. By @barblin in #570
• Configuration Handling Improvement: Prevented concurrency issues (ConcurrentModificationException) by copying configurations into a separate collection. By @gordonrousselle in #580

📦 Dependency Updates

• Gradle Wrapper Update: Upgraded from 8.12 to 8.12.1. By @github-actions in #572
• Commons Codec Library: Bumped commons-codec from 1.17.2 to 1.18.0. By @dependabot in #574
• CycloneDX BOM Upgrade: Updated org.cyclonedx.bom from 1.10.0 to 2.0.0. By @dependabot in #567
• GitHub Actions Updates:
  • update-gradle-wrapper-action (2.0.0 → 2.0.1) #573
  • plugin-publish (1.3.0 → 1.3.1) #577
  • gradle/actions (4.2.2 → 4.3.0) #578
  • actions/setup-java(4.6.0 → 4.7.0) #575

📜 Full Changelog

• build(deps): bump org.cyclonedx.bom from 1.10.0 to 2.0.0 by @dependabot in #567
• Update Gradle Wrapper from 8.12 to 8.12.1 by @github-actions in #572
• build(deps): bump gradle-update/update-gradle-wrapper-action from 2.0.0 to 2.0.1 by @dependabot in #573
• build(deps): bump commons-codec:commons-codec from 1.17.2 to 1.18.0 by @dependabot in #574
• build(deps): bump actions/setup-java from 4.6.0 to 4.7.0 by @dependabot in #575
• build(deps): bump com.gradle.plugin-publish from 1.3.0 to 1.3.1 by @dependabot in #577
• build(deps): bump gradle/actions from 4.2.2 to 4.3.0 by @dependabot in #578
• fix: copy configurations into separate collection to avoid concurrent… by @gordonrousselle in #580
• fix: manufacture. Reasoning: https://cyclonedx.org/docs/… by @barblin in #570
• build: prepare release version 2.1.0 by @skhokhlov in #582

cyclonedx-gradle-plugin-2.0.0...cyclonedx-gradle-plugin-2.1.0

2.0.0

CycloneDX Gradle Plugin version 2.0.0 features a comprehensive codebase overhaul for improved structure and maintainability, along with new capabilities such as Gradle Configuration Cache support and enhanced dependency resolution for various artifact types, including AAR, WAR, and ZIP files. This update also addresses critical issues, resolving indefinite loops during dependency resolution, ensuring consistent and accurate outcomes, and eliminating problems related to missing dependencies.

🚀 New Features

• New Implementation for CycloneDX Gradle Plugin: Enhanced BOM generation with a new implementation. By @gordonrousselle in #532
• Add Git External Reference: Introduced the ability to include Git as an external reference. By @barblin in #520
• Retrieve Build-System Metadata: The build system now retrieves metadata directly from the environment. By @jeremylong in #546

🛠️ Improvements & Fixes

• Use Lenient Artifact View: Updated artifact handling for improved leniency. By @jeremylong in #539
• Fix Component Version in PURL: Ensured correct usage of the configured component version in PURL. By @jeremylong in #542
• Avoid Deprecated Tools Section: Removed reliance on deprecated tools sections. By @jeremylong in #544
• Improve Documentation: Fixed typos, clarified warnings resolution, and updated Git documentation. By @TheManWhoStaresAtCode, @barblin, and @jeremylong in #504, #543, and #547

🔧 Dependency Updates

• Gradle Wrapper updates:
  • From 8.10 to 8.12 via multiple PRs by @github-actions (#506, #516, #533, and #559).
• Library and action updates by @dependabot:
  • CycloneDX Core Java: From 9.0.5 to 10.1.0 (#526, #550, #560)
  • Actions: Setup Java, Checkout, Upload Artifact, and Gradle Actions (#507, #518, #556, and more)
  • Commons-IO and Commons-Codec libraries (#515, #537, #561)

🧑‍💻 New Contributors

• @TheManWhoStaresAtCode made their first contribution in #504
• @gordonrousselle made their first contribution in #532
• @jeremylong made their first contribution in #539
• @barblin made their first contribution in #520

📜 Full Changelog

• build(deps): bump org.cyclonedx.bom from 1.9.0 to 1.10.0 by @dependabot in #499
• Update Gradle Wrapper from 8.10 to 8.10.1 by @github-actions in #506
• build(deps): bump actions/setup-java from 4.2.2 to 4.3.0 by @dependabot in #507
• Introduce code formatting constraints by @skhokhlov in #508
• build(deps): bump com.gradle.plugin-publish from 1.2.1 to 1.3.0 by @dependabot in #512
• build(deps): bump gradle/actions from 4.0.0 to 4.1.0 by @dependabot in #513
• Update Gradle Wrapper from 8.10.1 to 8.10.2 by @github-actions in #516
• refactor: decouple methods and add debug logging by @skhokhlov in #510
• build(deps): bump actions/checkout from 4.1.7 to 4.2.0 by @dependabot in #518
• build(deps): bump gradle-update/update-gradle-wrapper-action from 1.0.20 to 2.0.0 by @dependabot in #514
• build(deps): bump commons-io:commons-io from 2.16.1 to 2.17.0 by @dependabot in #515
• build(deps): bump actions/setup-java from 4.3.0 to 4.4.0 by @dependabot in #517
• build(deps): bump org.cyclonedx:cyclonedx-core-java from 9.0.5 to 9.1.0 by @dependabot in #526
• build(deps): bump actions/upload-artifact from 4.3.6 to 4.4.3 by @dependabot in #524
• build(deps): bump actions/checkout from 4.2.0 to 4.2.1 by @dependabot in #522
• fix typos in README.md by @TheManWhoStaresAtCode in #504
• build(deps): bump actions/setup-java from 4.4.0 to 4.5.0 by @dependabot in #531
• build(deps): bump actions/checkout from 4.2.1 to 4.2.2 by @dependabot in #530
• Update Gradle Wrapper from 8.10.2 to 8.11 by @github-actions in #533
• build(deps): bump gradle/actions from 4.1.0 to 4.2.0 by @dependabot in #534
• Update Gradle Wrapper from 8.11 to 8.11.1 by @github-actions in #538
• Feat/new implementation cyclonedx bom by @gordonrousselle in #532
• build(deps): bump gradle/actions from 4.2.0 to 4.2.1 by @dependabot in #536
• build(deps): bump commons-io:commons-io from 2.17.0 to 2.18.0 by @dependabot in #537
• fix: use lenient artifact view by @jeremylong in #539
• fix: use configured componentVersion in PURL by @jeremylong in #542
• docs: document parameter to resolve build warnings by @jeremylong in #543
• fix: avoid using deprecated tools section by @jeremylong in #544
• build: prepare version 2.0.0-alpha-0 by @skhokhlov in #545
• feat: add git external reference. by @barblin in #520
• docs: fix vcs git docu and some spelling errors by @barblin in #547
• build(deps): bump org.cyclonedx:cyclonedx-core-java from 9.1.0 to 10.0.0 by @dependabot in #550
• feat: retrieve build-system metadata from build environment by @jeremylong in #546
• Version 2.0.0-alpha-1 by @skhokhlov in #552
• build(deps): bump org.junit.jupiter:junit-jupiter-engine from 5.11.3 to 5.11.4 by @dependabot in #553
• build(deps): bump org.junit.jupiter:junit-jupiter-api from 5.11.3 to 5.11.4 by @dependabot in #554
• build(deps): bump actions/upload-artifact from 4.4.3 to 4.5.0 by @dependabot in #555
• build(deps): bump gradle/actions from 4.2.1 to 4.2.2 by @dependabot in #556
• build(deps): bump actions/setup-java from 4.5.0 to 4.6.0 by @dependabot in #557
• build(deps): bump org.cyclonedx:cyclonedx-core-java from 10.0.0 to 10.1.0 by @dependabot in #560
• build(deps): bump commons-codec:commons-codec from 1.17.1 to 1.17.2 by @dependabot in #561
• build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.0 by @dependabot in #564
• Update Gradle Wrapper from 8.11.1 to 8.12 by @github-actions in #559
• build: prepare release version 2.0.0 by @skhokhlov in #566

cyclonedx-gradle-plugin-1.10.0...cyclonedx-gradle-plugin-2.0.0

2.0.0-alpha-1

What's Changed

• feat: add git external reference. by @barblin in #520
• docs: fix vcs git docu and some spelling errors by @barblin in #547
• build(deps): bump org.cyclonedx:cyclonedx-core-java from 9.1.0 to 10.0.0 by @dependabot in #550
• feat: retrieve build-system metadata from build environment by @jeremylong in #546

New Contributors

• @barblin made their first contribution in #520

Full Changelog: cyclonedx-gradle-plugin-2.0.0-alpha-0...cyclonedx-gradle-plugin-2.0.0-alpha-1

2.0.0-alpha-0

Features

• Support for Gradle configuration cache by @gordonrousselle in #532

Bug Fixes

• Fix incorrect dependency resolution #367 by @gordonrousselle in #532
• Fix incorrect dependency loop handling #528 by @gordonrousselle in #532
• fix: use lenient artifact view by @jeremylong in #539
• fix: avoid using deprecated tools section by @jeremylong in #544

Other Changes

• build(deps): bump org.cyclonedx.bom from 1.9.0 to 1.10.0 by @dependabot in #499
• Update Gradle Wrapper from 8.10 to 8.10.1 by @github-actions in #506
• build(deps): bump actions/setup-java from 4.2.2 to 4.3.0 by @dependabot in #507
• Introduce code formatting constraints by @skhokhlov in #508
• build(deps): bump com.gradle.plugin-publish from 1.2.1 to 1.3.0 by @dependabot in #512
• build(deps): bump gradle/actions from 4.0.0 to 4.1.0 by @dependabot in #513
• Update Gradle Wrapper from 8.10.1 to 8.10.2 by @github-actions in #516
• refactor: decouple methods and add debug logging by @skhokhlov in #510
• build(deps): bump actions/checkout from 4.1.7 to 4.2.0 by @dependabot in #518
• build(deps): bump gradle-update/update-gradle-wrapper-action from 1.0.20 to 2.0.0 by @dependabot in #514
• build(deps): bump commons-io:commons-io from 2.16.1 to 2.17.0 by @dependabot in #515
• build(deps): bump actions/setup-java from 4.3.0 to 4.4.0 by @dependabot in #517
• build(deps): bump org.cyclonedx:cyclonedx-core-java from 9.0.5 to 9.1.0 by @dependabot in #526
• build(deps): bump actions/upload-artifact from 4.3.6 to 4.4.3 by @dependabot in #524
• build(deps): bump actions/checkout from 4.2.0 to 4.2.1 by @dependabot in #522
• fix typos in README.md by @TheManWhoStaresAtCode in #504
• build(deps): bump actions/setup-java from 4.4.0 to 4.5.0 by @dependabot in #531
• build(deps): bump actions/checkout from 4.2.1 to 4.2.2 by @dependabot in #530
• Update Gradle Wrapper from 8.10.2 to 8.11 by @github-actions in #533
• build(deps): bump gradle/actions from 4.1.0 to 4.2.0 by @dependabot in #534
• Update Gradle Wrapper from 8.11 to 8.11.1 by @github-actions in #538
• Feat/new implementation cyclonedx bom by @gordonrousselle in #532
• build(deps): bump gradle/actions from 4.2.0 to 4.2.1 by @dependabot in #536
• build(deps): bump commons-io:commons-io from 2.17.0 to 2.18.0 by @dependabot in #537
• fix: use configured componentVersion in PURL by @jeremylong in #542
• docs: document parameter to resolve build warnings by @jeremylong in #543

New Contributors

• @TheManWhoStaresAtCode made their first contribution in #504
• @gordonrousselle made their first contribution in #532
• @jeremylong made their first contribution in #539

Full Changelog: cyclonedx-gradle-plugin-1.10.0...cyclonedx-gradle-plugin-2.0.0-alpha-0

1.10.0

Features

• Order components and dependencies by purl and ref to have reproducible output by @emirmx in #457
• feat: add includeMetadataResolution property by @skhokhlov in #477

Bug Fixes

• Include local project dependencies as components #432 by @loicrouchon in #474
• fix: check that plugin.properties file exists by @skhokhlov in #489

Other Changes

• build(deps): bump org.cyclonedx.bom from 1.8.2 to 1.9.0 by @dependabot in #473
• chore: add proper configuration for thread lock by @skhokhlov in #476
• build: update gradle actions by @skhokhlov in #475
• build(deps): bump actions/upload-artifact from 4.3.4 to 4.3.5 by @dependabot in #480
• build(deps): bump actions/setup-java from 4.2.1 to 4.2.2 by @dependabot in #483
• build(deps): bump actions/upload-artifact from 4.3.5 to 4.3.6 by @dependabot in #484
• build(deps): migrate to gradle actions v4 by @skhokhlov in #486
• build: run dependency-submission only on master branch by @skhokhlov in #488
• chore: run thread lock less frequent by @skhokhlov in #490
• build: run dependency-submission only on master by @skhokhlov in #491
• build(deps): bump actions/setup-java from 4.2.1 to 4.2.2 by @dependabot in #487
• Update Gradle Wrapper from 8.9 to 8.10 by @github-actions in #492
• build: bump cyclonedx-core-java to 9.0.5 by @skhokhlov in #493
• Update issue templates by @skhokhlov in #494
• build(deps): bump org.apache.maven:maven-core from 3.9.8 to 3.9.9 by @dependabot in #496

New Contributors

• @emirmx made their first contribution in #457

Full Changelog: cyclonedx-gradle-plugin-1.9.0...cyclonedx-gradle-plugin-1.10.0