Skip to content

[FEATURE] library mode #252

Description

@jkowalleck

Is your feature request related to a problem? Please describe.

if i build a SBOM for a library, i do not want to have non-bundled component listed as if they were concrete.
These dependencies are "external" (a feature sincce CycloneDX 1.7 - $.components[].isExternal) and the version of them is not clear - it is resolved on install-time .
Also, transitive dependencies of those are not clear until install-time.

This should be reflected in the SBOM.

Describe the solution you'd like

Spec: CycloneDX/specification#321

add a n option to have

  • only the bundled dependencies and the direct dependencies as components in the SBOM result.
  • direct dependencies' components must have no version.
  • direct dependencies's components must have a version range - #321
  • direct dependencies are marked as "extraneous" - #321
  • the dependency composition completeness is set to "incomplete_first_party_only" - see https://cyclonedx.org/guides/OWASP_CycloneDX-Authoritative-Guide-to-SBOM-en.pdf page 59

option could be called (list of ideas)

  • --library-mode
  • --mark-extraneous
  • --bundled-only
  • add your idea in the comments

new option MUST imply --omit dev and must cause

new option MUST be disabled bu default
new option MUST be marked as experimental in help page
new option might set `--mc-type=library'

Describe alternatives you've considered

  • we could make it, so that the existing option `--mc-type=library' causes this behaviour by default, but that would be a breaking change

Additional context

for libraries, non-bundled components are "extraneous" - this is discussed in #321

package.json knows the concept of

  • dependencies
  • bundleDependencies - definitely shipped
  • peerDependencies - definitely extraneous
    • they can be optional, in addition. example:
      "peerDependenciesMeta": {
        "webpack-cli": {
          "optional": true
        }
      }
      
  • devDependencies - no intention to be shipped.
    might shadow allof the above on build-time

Contribution

  • I am willing to provide an implementation
  • I will wait until somebody else implements it

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions