Scope property is always being set to required

[thompson-tomo]

In my project I have a number of packagereference which has the privateAssets/excludedAssets property set to all yet when I look at the bom which is generated it has the scope property set to required for all components.

[github-actions]

This issue is stale because it has been open for 3 months with no activity.

[thompson-tomo]

@mtsfoni how is this progressing?

[mtsfoni]

#847 and #848 basically has the solution to the problem that we discussed regarding figuring out what is a dev dependency and what not. Unfortunately, the PR is like 90% done, if is recall correctly.

After that, I planned to introduce an enum CLI-argument, so users can decide how to handle dev dependencies.
Options would be so far:

• Completely excluded from SBOM (this might be the default option for now)
• Marked with Scope-Excluded
• Regularly Included

After checking with different people in the CycloneDX core group, I got different answers how to handle dev-dependencies and what e.g. excluded scope is meant for (Somewhere it said for components that must be added to the scope of delivery). Hence, I just want to give the full control about that to the user.

Unfortunately, I'm busy with updating the cdx-dotnet-library to version 1.6 before I can put a lot of time into the tool again.
Maybe check out said PR and see what it still needs to be finished? I think it was just minor details there.

[thompson-tomo]

Ok thanks for the update @mtsfoni I might see if I can determine what is outstanding to help it along.

[github-actions]

This issue is stale because it has been open for 3 months with no activity.

[thompson-tomo]

Still awaiting for solution

[github-actions]

This issue is stale because it has been open for 3 months with no activity.