Hi all, I am trying to generate sbom output on each of the spring boot repos with a bash script. The script contains a init.gradle section that essentially injects a cyclonedx plugin with the necessary cyclonedx config on all the repositories so that SBOMs can be generated. Below is the init.gradle snippet that applies the plugin with the relevant config: > apply plugin:org.cyclonedx.gradle.CycloneDxPlugin > cyclonedxBom { > // includeConfigs is the list of configuration names to include when generating the BOM (leave empty to include every configuration), regex is supported > includeConfigs = ["runtimeClasspath"] > // skipConfigs is a list of configuration names to exclude when generating the BOM, regex is supported > skipConfigs = ["compileClasspath", "testCompileClasspath"] > // skipProjects is a list of project names to exclude when generating the BOM > skipProjects = [rootProject.name, "yourTestSubProject"] > // Specified the type of project being built. Defaults to 'library' > projectType = "application" > // Specified the version of the CycloneDX specification to use. Defaults to '1.6' > schemaVersion = "1.6" > // Boms destination directory. Defaults to 'build/reports' > destination = file("build/reports") > // The file name for the generated BOMs (before the file format suffix). Defaults to 'bom' > outputName = project.name > // The file format generated, can be xml, json or all for generating both. Defaults to 'all' > outputFormat = "json" > // Include BOM Serial Number. Defaults to 'true' > includeBomSerialNumber = false > // Include License Text. Defaults to 'true' > includeLicenseText = true > } The outputname and destination above are set for all repos. In most cases, the spring boot repos around do not have cyclonedx plugin in build.gradle. But in the case of spring petclinic app, the build.gradle contains cyclonedx as the plugin. The problem is my bash script tries to inject cyclonedx plugin when there is already a cyclonedx plugin present in build.gradle for petclinic app. And petclinic app comes with a default cyclonedx config which sets the outputname and destination to somewhere. Therefore, when the script runs, it fails because it is looking at the wrong output path for the sbom. Is there any way that gradle allows to override the existing plugin so my script can override with the CycloneDX config it has? Thanks!

You probably have to wrap your config in an evil

afterEvaluate { ... }

and hope for the best, so that your configuration is done after the configuration the project build script is doing and your config wins.

Thanks. There is no guarantee that the scheduling happens always in the order that my config gets applied after project build script, correct? With spring projects having many plugins and custom build logic, I am not sure if this would work always across various projects. Are you aware of any alternative solution instead of afterEvaluate?

I think you logic always runs first currently. With after evaluate it will run after everything that calls after evaluate before you it doesn't call it, but it will run before anything that calls after evaluate after you. Just the typical race conditions you have when using after evaluate.

I see. Should I include both the apply plugin statement and the cyclonedxbom config within the afterevaluate so it would run later?

The plugin application shouldn't matter, plugins are only applied once anyway and any additional try to apply them is a no-op