[bug] Gradle projects where the root and at least one of the sub-projects have the same name should fail #2210
Description
Hello!
Currently, if the root project and one of the sub-projects have the same name, group and same/no version specified), cdxgen will ignore the sub-project and only run the dependencies tasks in the root project. This is essentially a "silent" failure, as the generated SBOM will entirely exclude dependencies from the sub-project.
This is because of the way pURLs are created (group/artifact/version).
Example repo: https://github.com/ajmalab/java-test
If you look at the generated SBOM in the repo, you'll see that the com.slack.api:slack-api-client:1.45.4 which is a dependency of the sub-project with the same name is missing.
Unsure what the best solution for this would be. There are a couple of thoughts:
-
Fail when we detect duplicate pURLs. Ideally a sub-project shouldn't have the same name as the root project (even though Gradle lets you do it). Think this would be the preferred option.
-
Follow Gradle's approach: Gradle uses project paths rather than names, so the root project is simply
:, sub-projects are:sub-project-a,:sub-project-betc. Meaning the artifact name could end up being:in the pURL, which probably isn't ideal
Happy to open a PR with the solution if/when there's agreement on the approach.