(grails-core) branch 7.0.x updated: fix: make dependencies reproducible for sbom

[jdaugherty]

This is an automated email from the ASF dual-hosted git repository.

jdaugherty pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/grails-core.git


The following commit(s) were added to refs/heads/7.0.x by this push:
     new f9d6f95033 fix: make dependencies reproducible for sbom
f9d6f95033 is described below

commit f9d6f950331d70d72ee6cf829f7f3de510565bea
Author: James Daugherty <jdaughe...@jdresources.net>
AuthorDate: Wed Oct 15 14:05:43 2025 -0400

    fix: make dependencies reproducible for sbom
---
 .../main/groovy/org/apache/grails/buildsrc/SbomPlugin.groovy   | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git 
a/build-logic/plugins/src/main/groovy/org/apache/grails/buildsrc/SbomPlugin.groovy
 
b/build-logic/plugins/src/main/groovy/org/apache/grails/buildsrc/SbomPlugin.groovy
index 00c171b865..de2e17d980 100644
--- 
a/build-logic/plugins/src/main/groovy/org/apache/grails/buildsrc/SbomPlugin.groovy
+++ 
b/build-logic/plugins/src/main/groovy/org/apache/grails/buildsrc/SbomPlugin.groovy
@@ -217,7 +217,7 @@ class SbomPlugin implements Plugin<Project> {
                         // components[*].licenses
                         def comps = (bom instanceof Map && bom.components 
instanceof List) ? bom.components : []
                         comps.each { c ->
-                            if (c instanceof Map && c.licenses instanceof List 
&& !(c.licenses as List).isEmpty()) {
+                            if (c instanceof Map && c.licenses instanceof List 
&& !(c.licenses as List).empty) {
                                 def chosen = pickLicense(task, c['bom-ref'] as 
String, c.licenses as List)
                                 if (chosen != null) {
                                     c.licenses = [chosen]
@@ -225,6 +225,14 @@ class SbomPlugin implements Plugin<Project> {
                             }
                         }
 
+                        // dependencies[*].dependsOn is not reproducible, so 
sort it
+                        def dependencies = (bom instanceof Map && 
bom.dependencies instanceof List) ? bom.dependencies : []
+                        dependencies.each { d ->
+                            if(d instanceof Map && d.dependsOn instanceof List 
&& !(d.dependsOn as List).empty) {
+                                d.dependsOn = (d.dependsOn as List).sort()
+                            }
+                        }
+
                         // force the serialNumber to be reproducible by 
removing it & recalculating
                         bom['serialNumber'] = ''
                         def withOutSerial = 
JsonOutput.prettyPrint(JsonOutput.toJson(bom))