required-only means no dependencies?

[malice00]

I was working on some issues, when I found the following pieces of code:

cdxgen/index.js

Line 953 in c3c1d95

const dependencies = !options.requiredOnly ? context.dependencies || [] : [];

and

cdxgen/index.js

Lines 1230 to 1236 in c3c1d95

	if (bomJsonObj.dependencies && !options.requiredOnly) {
	dependencies = mergeDependencies(
	dependencies,
	bomJsonObj.dependencies,
	parentComponent
	);
	}

With some testing, it indeed seems that when I run cdxgen with --required-only, no dependencies are added to the SBOM, so no dependency-tree will be available in tools like dependency-track...

Is this intentional? If so, what is the reason to not generate the dependencies?

I have to admit, for my project it doesn't matter if I use --required-only or not, but I would prefer it to work the same either way.

[prabhu]

@malice00, it looks like a shortcut I may have taken a while ago to get things working. Required only should filter both the components and dependencies list. Do you happen to have a test project to reproduce this issue?

[malice00]

@prabhu, you can take any Gradle project and run it with and without --required-only and then compare both the console output and the SBOM.
I can try to get my project tuned down for testing, but it's a react-native app -- which mean multiple layers and steps needed to get it to work. Specifically since I am specifically 'only' interested in the Gradle-part. I'll give it a go in the next couple of days.

[malice00]

Well, was finally able to find the mandatory parts in the projects and strip away the rest. Only pre-requisite is Node (I was running v16.15.0, but any v16 should probably work). Commands are in 'build.sh'.

test.zip

I included 2 SBOMs as well -- one with and one without --required-only.

This project can be used for my other discussion and issue(s) as well -- maybe keep it around for testing other (Gradle-)Issues.

[countfnx]

This issue also applies for JS/TS projects with npm packages. If "--required-only" is set, no dependencies and no devDependencies will be contained in the sbom file.
I looked a little bit into the source code and you already flag the dependencies in the utils.js whether they are optional
const scope = node.dev === true ? "optional" : undefined;

This scope property should somehow be considered when you do the following in the index.js:
const dependencies = !options.requiredOnly ? context.dependencies || [] : [];

[prabhu]

I think the best place to do this is post generation as a filter step. We can utilize both the evidence and the scope attribute to determine if something is required or not. Will take this enhancement next later this week.