Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: set devDependencies component.scope to excluded #1151

Open
jkowalleck opened this issue Feb 8, 2024 · 4 comments
Open

feat: set devDependencies component.scope to excluded #1151

jkowalleck opened this issue Feb 8, 2024 · 4 comments
Labels
enhancement New feature or request good first issue Good for newcomers hacktoberfest help wanted Extra attention is needed

Comments

@jkowalleck
Copy link
Member

jkowalleck commented Feb 8, 2024
edited
Loading

Is your feature request related to a problem? Please describe.

Per CycloneDX specification, the components' scope means (see docs)

  • "required": The component is required for runtime
  • "optional": The component is optional at runtime. Optional components are components that are not capable of being called due to them not be installed or otherwise accessible by any means. Components that are installed but due to configuration or other restrictions are prohibited from being called must be scoped as 'required'.
  • "excluded": Components that are excluded provide the ability to document component usage for test and other non-runtime purposes. Excluded components are not reachable within a call graph at runtime.

Current implementation does not set any scope, meaning the fallback to "required".
for dev-dependencies this would be wrong.

Describe the solution you'd like

mark all components, that are dev-dependencies only, as "excluded" in the resulting SBOM.

Describe alternatives you've considered

none

Additional context

Add any other context or screenshots about the feature request here.
@jkowalleck jkowalleck added enhancement New feature or request good first issue Good for newcomers help wanted Extra attention is needed labels Feb 8, 2024
@ARRY7686
Copy link

hey @jkowalleck I saw the issue and would really like to contribute can you assign it to me and add a label of hacktober fest

@jkowalleck
Copy link
Member Author

hey @jkowalleck I saw the issue and would really like to contribute can you assign it to me and add a label of hacktober fest

done. have fun.

@ARRY7686
Copy link

I have completed the issue and will make the PR by tomorrow 10:00am

@ARRY7686 ARRY7686 mentioned this issue Oct 1, 2024
Closed
ARRY7686 added a commit to ARRY7686/cyclonedx-node-npm that referenced this issue Oct 1, 2024
@ARRY7686
refactor: Modify component scope for devDependencies
96f11a6 
This commit modifies the component scope for devDependencies in the BomBuilder class. The code now ensures that dev dependencies are marked as excluded. This change improves the handling of devDependencies in the CycloneDX library.

Related issue: CycloneDX#1151
@ARRY7686 ARRY7686 mentioned this issue Oct 1, 2024
Closed
@jkowalleck
Copy link
Member Author

this issue is free for all.
in case multiple people want to work on this, feel free to use this very ticket to message each other.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers hacktoberfest help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
2 participants
@jkowalleck @ARRY7686