Is your feature request related to a problem? Please describe.
if i build a SBOM for a library, i do not want to have non-bundled component listed as if they were concrete.
These dependencies are "external" (a feature sincce CycloneDX 1.7 - $.components[].isExternal) and the version of them is not clear - it is resolved on install-time .
Also, transitive dependencies of those are not clear until install-time.
This should be reflected in the SBOM.
Describe the solution you'd like
Spec: CycloneDX/specification#321
add a n option to have
- only the bundled dependencies and the direct dependencies as components in the SBOM result.
- direct dependencies' components must have no version.
- direct dependencies's components must have a version range - #321
- direct dependencies are marked as "extraneous" - #321
- the dependency composition completeness is set to "incomplete_first_party_only" - see https://cyclonedx.org/guides/OWASP_CycloneDX-Authoritative-Guide-to-SBOM-en.pdf page 59
option could be called (list of ideas)
--library-mode--mark-extraneous--bundled-only- add your idea in the comments
new option MUST imply --omit dev and must cause
new option MUST be disabled bu default
new option MUST be marked as experimental in help page
new option might set `--mc-type=library'
Describe alternatives you've considered
- we could make it, so that the existing option `--mc-type=library' causes this behaviour by default, but that would be a breaking change
Additional context
for libraries, non-bundled components are "extraneous" - this is discussed in #321
package.json knows the concept of
dependenciesbundleDependencies - definitely shippedpeerDependencies - definitely extraneous
- they can be optional, in addition. example:
"peerDependenciesMeta": {
"webpack-cli": {
"optional": true
}
}
devDependencies - no intention to be shipped.
might shadow allof the above on build-time
Contribution
Is your feature request related to a problem? Please describe.
if i build a SBOM for a library, i do not want to have non-bundled component listed as if they were concrete.
These dependencies are "external" (a feature sincce CycloneDX 1.7 -
$.components[].isExternal) and the version of them is not clear - it is resolved on install-time .Also, transitive dependencies of those are not clear until install-time.
This should be reflected in the SBOM.
Describe the solution you'd like
Spec: CycloneDX/specification#321
add a n option to have
option could be called (list of ideas)
--library-mode--mark-extraneous--bundled-onlynew option MUST imply
--omit devand must causenew option MUST be disabled bu default
new option MUST be marked as experimental in help page
new option might set `--mc-type=library'
Describe alternatives you've considered
Additional context
for libraries, non-bundled components are "extraneous" - this is discussed in #321
package.jsonknows the concept ofdependenciesbundleDependencies- definitely shippedpeerDependencies- definitely extraneousdevDependencies- no intention to be shipped.might shadow allof the above on build-time
Contribution