fix: mark devDependencies as "excluded" in SBOM results
#1221
Conversation
|
Please sign off your commits, to show that you agree to publish your changes under the current terms and licenses of the project , and to indicate agreement with Developer Certificate of Origin (DCO). see instructions on how to sign-off already pushed commits here: https://github.com/CycloneDX/cyclonedx-node-npm/pull/1221/checks?check_run_id=30911587611 |
jkowalleck
changed the title
devDependencies as "excluded" in SBOM results
| // } | ||
|
|
||
| // Initialize component with a default value | ||
| let component: Models.Component | undefined = undefined; |
There was a problem hiding this comment.
this new variable, it is assigned but never read.
so it is useless all along.
please remove this unused variable.
There was a problem hiding this comment.
I have to assign the component variable a default value as undefined and then can mark it excluded in necessary place
There was a problem hiding this comment.
did you generate the test results and check if your changes have any effect?
please see https://github.com/CycloneDX/cyclonedx-node-npm/blob/main/CONTRIBUTING.md
Signed-off-by: ARRY7686 [email protected]
|
made the requested changes kindly check |
Signed-off-by: ARRY7686 [email protected] Signed-off-by: ARRY7686 <[email protected]>
…ARRY7686/cyclonedx-node-npm into set_devdependencies_to_excluded
| * branch set_devdependencies_to_excluded -> FETCH_HEAD | ||
| hint: You have divergent branches and need to specify how to reconcile them. | ||
| hint: You can do so by running one of the following commands sometime before | ||
| hint: your next pull: |
There was a problem hiding this comment.
what is this supposed to be?!
|
@ARRY7686 something completely messed up. |
|
I am closing this PR and making a new one with fresh changes |
|
Superseded by #1222 |
Description:
This pull request addresses the issue #1151, where devDependencies in the Software Bill of Materials (SBOM) were incorrectly marked as required. According to the CycloneDX specification, devDependencies should be marked with the excluded scope since they are not required at runtime but used for development or testing purposes.
Changes Implemented:
Modified the makeComponent method in src/builders.ts to set the scope of devDependencies to excluded.
Added a conditional check for dev dependencies, ensuring they are marked as excluded in the generated SBOM.
Commented out the original logic that omitted devDependencies entirely, which was not compliant with the SBOM specification.
Testing Performed:
Verified the SBOM generation for projects with both regular and devDependencies.
Ensured that regular dependencies are marked as required and devDependencies are correctly marked as excluded in the generated SBOM.
Issue Reference:
This pull request fixes #1151.