Question 191004 in Flutter Question posted in
The official Flutter documentation can be found here.

How to create a BOM file in a Flutter project

I’m trying to create a BOM file for the Android portion of a Flutter project for security scanning.

I added org.cyclonedx.bom (a gradle plugin) to gradle and I’m running the cyclonedxBom gradle task, but I’m getting an error:


> Could not resolve all dependencies for configuration ':app:apiDependenciesMetadata'.
   > Could not resolve project :flutter_udid.
     Required by:
         project :app
      > The consumer was configured to find a usage of 'kotlin-metadata'Execution failed for task ':app:cyclonedxBom'. of a library, as well as attribute 'org.jetbrains.kotlin.platform.type' with value 'common'. However we cannot choose between the following variants of project :flutter_udid:
          - debugApiElements
          - profileApiElements
          - releaseApiElements
        All of them match the consumer attributes:
          - Variant 'debugApiElements' capability de.gigadroid.flutterudid:flutter_udid:1.0-SNAPSHOT declares an API of a library, as well as attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
              - Unmatched attributes:
                  - Provides attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'debug' but the consumer didn't ask for it
                  - Provides attribute 'com.android.build.api.attributes.VariantAttr' with value 'debug' but the consumer didn't ask for it
                  - Provides attribute 'org.gradle.jvm.environment' with value 'android' but the consumer didn't ask for it
          - Variant 'profileApiElements' capability de.gigadroid.flutterudid:flutter_udid:1.0-SNAPSHOT declares an API of a library, as well as attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
              - Unmatched attributes:
                  - Provides attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'profile' but the consumer didn't ask for it
                  - Provides attribute 'com.android.build.api.attributes.VariantAttr' with value 'profile' but the consumer didn't ask for it
                  - Provides attribute 'org.gradle.jvm.environment' with value 'android' but the consumer didn't ask for it
          - Variant 'releaseApiElements' capability de.gigadroid.flutterudid:flutter_udid:1.0-SNAPSHOT declares an API of a library, as well as attribute 'org.jetbrains.kotlin.platform.type' with value 'androidJvm':
              - Unmatched attributes:
                  - Provides attribute 'com.android.build.api.attributes.BuildTypeAttr' with value 'release' but the consumer didn't ask for it
                  - Provides attribute 'com.android.build.api.attributes.VariantAttr' with value 'release' but the consumer didn't ask for it
                  - Provides attribute 'org.gradle.jvm.environment' with value 'android' but the consumer didn't ask for it

Dependencies in gradle look like

    dependencies {
        classpath 'com.android.tools.build:gradle:4.2.0'
        classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version"
        // Firebase
        classpath 'com.google.gms:google-services:4.3.15'
        classpath 'org.cyclonedx.bom:org.cyclonedx.bom.gradle.plugin:1.7.4'
    }

apply plugin: 'com.android.application'
apply plugin: 'kotlin-android'
// Firebase
apply plugin: 'com.google.gms.google-services'
// BOM generation https://github.com/CycloneDX/cyclonedx-gradle-plugin
apply plugin: 'org.cyclonedx.bom'
apply from: "$flutterRoot/packages/flutter_tools/gradle/flutter.gradle"

How can I configure the project to generate me a BOM for release version?

Tags:

2

Answers


  1. 0

    The error message suggests that the consumer (your project) is unable to resolve the dependencies for the :app:apiDependenciesMetadata configuration, specifically the :flutter_udid module. It seems that the org.cyclonedx.bom plugin is encountering difficulties determining the appropriate variant of the flutter_udid module to use.

    To configure the project to generate a Bill of Materials (BOM) for the release version, you can specify the desired variant in your Gradle configuration. Add the following code to your app’s build.gradle file:

    configurations {
    // Configure the BOM generation for the release variant
    releaseBomMetadata.extendsFrom(apiElements.get().withVariantConstraints {
        // Constrain the variant to release
        it.attributes {
            attribute(org.jetbrains.kotlin.platform.type, 'androidJvm')
            attribute(com.android.build.api.attributes.BuildTypeAttr, 'release')
        }
    })
}

    This configuration creates a new configuration named releaseBomMetadata that extends from the existing apiElements configuration. It sets constraints on the variant attributes to match the release variant of the flutter_udid module.

    After adding this configuration, you can run the cyclonedxBom Gradle task again, and it should generate a BOM for the release version.

    Note: Make sure to replace releaseBomMetadata with a name of your choice if you prefer a different name for the configuration.

    Login or Signup to reply.
  2. 0 
    configurations {
    // Configure the BOM generation for the release variant
    releaseBomMetadata.extendsFrom(getConfigurations().getByName('apiElements').withVariantConstraints {
        // Constrain the variant to release
        it.attributes {
            attribute(org.jetbrains.kotlin.platform.type, 'androidJvm')
            attribute(com.android.build.api.attributes.BuildTypeAttr, 'release')
        }
    })
}

    replace ‘releaseBomMetadata’ with the desired name for the configuration if you prefer a different name.

    After making these changes, try running the cyclonedxBom Gradle task again, and it should generate a BOM for the release version without the previous error.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search