Prevent 'cyclonedxBom' Gradle task to be launched during the test execution

[celcius112]

When applying the CycloneDX Gradle plugin, a ./gradlew test will launch the cyclonedxBom, as the test task depends on processResources, which is now dependent of cyclonedxBom. This can be visualized using this plugin:

:test
+--- :classes
|    +--- :compileJava
|    \--- :processResources
|         \--- :cyclonedxBom
+--- :compileJava *
+--- :compileTestJava
|    +--- :classes *
|    \--- :compileJava *
\--- :testClasses
     +--- :compileTestJava *
     \--- :processTestResources

This behaviour is not blocking in any way (unless the Cyclone task fails unexpectedly), but is a strange one to see in our CI/CD.

It is of course possible to exclude this task using ./gradlew test -x cyclonedxBom.

[philwebb]

I wonder if we should refine our logic so that only task that create the archive call the cyclonedxBom task.

[mhalbritter]

We had that in the past: #40890

We'd need to run the task in bootJar, bootWar and bootRun.

[mhalbritter]

I have something working in https://github.com/mhalbritter/spring-boot/tree/mh/45026-prevent-cyclonedxbom-gradle-task-to-be-launched-during-the-test-execution - SBOM is now only executed on bootJar, bootWar and bootRun tasks.

For bootRun I had to resort to a small trick: there's a task called copySbom which copies the sbom from the CycloneDx task to a tmp directory under META-INF/sbom and then configures bootRun to add this to the classpath. Directly using the output from the CycloneDx isn't possible because it's missing the META-INF/sbom directory.

Should we label this issue as a bug or an enhancement?