--exclude-type doesn't work

[evyaroshevich]

After updating cdxgen to version 10.8.0+ and the addition of multi-module support, I can no longer exclude certain modules. I have a multi-project on Maven, but one of its submodules includes stub builds for Gradle and SBT. I am trying to use the parameters --exclude-type gradle --exclude-type sbt, but cdxgen ignores them.
Here is the full command: cdxgen --output sbom.json --noBanner --recurse --no-babel --exclude Dockerfile --exclude-type gradle --exclude-type sbt --required-only --timeout-ms 360000 --debug-mode debug --validate --include-formulation.

log:
Looking for project/build.properties
Looking for /builds/project/subproject1/build.properties
Detected sbt version: null
/root/.nvm/versions/node/v20.15.1/lib/node_modules/@cyclonedx/cdxgen/node_modules/semver/classes/semver.js:19
throw new TypeError(Invalid version. Must be a string. Got type "${typeof version}".)
^
TypeError: Invalid version. Must be a string. Got type "object".
at new SemVer (/root/.nvm/versions/node/v20.15.1/lib/node_modules/@cyclonedx/cdxgen/node_modules/semver/classes/semver.js:19:13)
at compare (/root/.nvm/versions/node/v20.15.1/lib/node_modules/@cyclonedx/cdxgen/node_modules/semver/functions/compare.js:3:3)
at gte (/root/.nvm/versions/node/v20.15.1/lib/node_modules/@cyclonedx/cdxgen/node_modules/semver/functions/gte.js:2:30)
at createJavaBom (file:///root/.nvm/versions/node/v20.15.1/lib/node_modules/@cyclonedx/cdxgen/index.js:2093:30)
at createMultiXBom (file:///root/.nvm/versions/node/v20.15.1/lib/node_modules/@cyclonedx/cdxgen/index.js:5462:23)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async createBom (file:///root/.nvm/versions/node/v20.15.1/lib/node_modules/@cyclonedx/cdxgen/index.js:6387:16)
at async file:///root/.nvm/versions/node/v20.15.1/lib/node_modules/@cyclonedx/cdxgen/bin/cdxgen.js:495:20
Node.js v20.15.1

[prabhu]

I don't think exclude-type is supported at a granular package manager level yet. Can you invoke with -t maven and share the output?

[evyaroshevich]

@prabhu -t maven doesn't work. This setting also captures the gradle and sbt config files and breaks

[prabhu]

Thank you. Could you kindly share a project to reproduce the issue? Also test with the master branch.

[evyaroshevich]

I can't provide my project for testing because, is commercial. To reproduce this error, you can take the project https://github.com/2much2learn/article_dec_28_mavengradle-based-multi-module-spring-boot-microservices.git there is a gradle and maven file. And with the -t maven option, it scans the gradle configuration too.
I have one script, cdxgen, that works on many of my projects, so I don’t want to include the -t maven option in the general script, because I have many different programming languages. I would like to exclude problem areas through the --exclude-type that break my CI/CD

[prabhu]

I have added some fixes as part of #1264. Non-trivial effort is required to support package manager level exclude, so will keep this issue open till there is some sponsorship or contributions.