adjust bom generation to only use runtime

[Siedlerchr]

User description

Only generate runtime configuration bom

Closes _____

Steps to test

Mandatory checks

• I own the copyright of the code submitted and I license it under the MIT license
• [.] I manually tested my changes in running JabRef (always required)
• [.] I added JUnit tests for changes (if applicable)
• [.] I added screenshots in the PR description (if change is visible to the user)
• [.] I described the change in CHANGELOG.md in a way that is understandable for the average user (if change is visible to the user)
• [.] I checked the user documentation: Is the information available and up to date? If not, I created an issue at https://github.com/JabRef/user-documentation/issues or, even better, I submitted a pull request updating file(s) in https://github.com/JabRef/user-documentation/tree/main/en.

---

PR Type

Enhancement

---

Description

• Reformats build.gradle.kts with improved code formatting

• Configures CycloneDX BOM generation to include runtime and compile classpath

• Excludes test-related and rewrite configurations from SBOM

• Improves readability through multi-line parameter formatting

---

Diagram Walkthrough

flowchart LR
  A["build.gradle.kts"] -->|"Add CycloneDX config"| B["includeConfigs: runtimeClasspath, compileClasspath"]
  A -->|"Add CycloneDX config"| C["skipConfigs: test and rewrite configs"]
  A -->|"Reformat"| D["Multi-line parameter formatting"]

Loading

File Walkthrough

Relevant files

Configuration changes

build.gradle.kts Configure CycloneDX BOM and reformat build script                build.gradle.kts Reformatted dependency declarations and task configurations with improved multi-line formatting Added includeConfigs to CycloneDX BOM task specifying runtimeClasspath and compileClasspath Added skipConfigs to exclude test-related and rewrite configurations from SBOM generation Enhanced code readability through consistent indentation and parameter separation +43/-12

---

[qodo-free-for-open-source-projects]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
🟡	🎫 #13109 🔴 Add Pseudonymization functionality to the CLI Make org.jabref.logic.pseudonymization.Pseudonymization available on the CLI Provide similar CLI experience to the consistency check Implement similar to org.jabref.cli.CheckConsistency class
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-free-for-open-source-projects]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	PR content mismatches linked issue The PR's changes, which focus on build configuration, do not match the linked issue about adding a new CLI feature. The PR should be linked to a relevant issue that describes its actual purpose. Examples: build.gradle.kts [1-99] plugins { id("org.jabref.gradle.base.repositories") id("org.jabref.gradle.feature.compile") // for openrewrite id("org.openrewrite.rewrite") version "7.23.0" id("org.itsallcode.openfasttrace") version "3.1.0" id("org.cyclonedx.bom") version "3.1.0" } // OpenRewrite should rewrite all sources // This is the behavior when applied in the root project (https://docs.openrewrite.org/reference/gradle-plugin-configuration#multi-module-gradle-projects) ... (clipped 89 lines) Solution Walkthrough: Before: // PR is linked to Issue #13109: "Add Pseudonymization to CLI" // PR content in build.gradle.kts: allprojects { tasks.cyclonedxDirectBom { includeConfigs = listOf( "runtimeClasspath", "compileClasspath" ) skipConfigs = listOf( "testRuntimeClasspath", ... ) } } After: // PR should be linked to a new or relevant issue, e.g., "Configure CycloneDX BOM generation" // PR content in build.gradle.kts remains the same: allprojects { tasks.cyclonedxDirectBom { includeConfigs = listOf( "runtimeClasspath", "compileClasspath" ) skipConfigs = listOf( "testRuntimeClasspath", ... ) } } Suggestion importance[1-10]: 10 __ Why: The suggestion correctly identifies a critical mismatch between the PR's build script changes and the linked issue's goal of adding a new CLI feature, which is a fundamental problem blocking any meaningful review.	High
Possible issue	✅ Refine SBOM to exclude compile-only dependencies Suggestion Impact: The suggestion was directly implemented. The commit removed "compileClasspath" from the includeConfigs list (line 50 deleted) in the cyclonedxDirectBom task configuration, exactly as suggested. Additionally, the commit added two more configurations to skipConfigs ("mockitoAgent" and "antlr"), which goes beyond the suggestion but aligns with the goal of refining the SBOM. code diff: @@ -78,14 +66,15 @@ includeConfigs = listOf( "runtimeClasspath", - "compileClasspath" ) skipConfigs = listOf( "testRuntimeClasspath", "testCompileClasspath", "testImplementation", - "rewrite" + "rewrite", + "mockitoAgent", + "antlr" ) } Remove compileClasspath from the includeConfigs list in the cyclonedxDirectBom task to ensure the generated SBOM only contains runtime dependencies and is more accurate. build.gradle.kts [77-91] tasks.cyclonedxDirectBom { includeConfigs = listOf( - "runtimeClasspath", - "compileClasspath" + "runtimeClasspath" ) skipConfigs = listOf( "testRuntimeClasspath", "testCompileClasspath", "testImplementation", "rewrite" ) } [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies that including compileClasspath can lead to an inaccurate SBOM by including compile-only dependencies, which could cause false positives in security scans.	Medium
Update

[koppor]

I just overlook the training comma 😅