Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: mark devDependencies as "excluded" in SBOM results #1222

Closed
wants to merge 1 commit into from
Closed

Fix: mark devDependencies as "excluded" in SBOM results #1222

wants to merge 1 commit into from

Conversation

ARRY7686
Copy link

@ARRY7686 ARRY7686 commented Oct 1, 2024

Description:

This pull request addresses the issue #1151, where devDependencies in the Software Bill of Materials (SBOM) were incorrectly marked as required. According to the CycloneDX specification, devDependencies should be marked with the excluded scope since they are not required at runtime but used for development or testing purposes.

Changes Implemented:

Modified the makeComponent method in src/builders.ts to set the scope of devDependencies to excluded.
Added a conditional check for dev dependencies, ensuring they are marked as excluded in the generated SBOM.
Commented out the original logic that omitted devDependencies entirely, which was not compliant with the SBOM specification.

Testing Performed:

Verified the SBOM generation for projects with both regular and devDependencies.
Ensured that regular dependencies are marked as required and devDependencies are correctly marked as excluded in the generated SBOM.
Screenshot from 2024-10-01 23-13-00
All the tests have been passed

Issue Reference:
This pull request fixes #1151.

@ARRY7686
refactor: Modify component scope for devDependencies
96f11a6 
This commit modifies the component scope for devDependencies in the BomBuilder class. The code now ensures that dev dependencies are marked as excluded. This change improves the handling of devDependencies in the CycloneDX library.

Related issue: CycloneDX#1151
@ARRY7686 ARRY7686 requested a review from a team as a code owner October 1, 2024 20:40
@ARRY7686
Copy link
Author

ARRY7686 commented Oct 1, 2024

Hey @jkowalleck Resubmitting the PR really sorry for the errors in previous one, I have tried my best this time, just forgot to signoff the branch will do it at the earliest once you approve that the changes are valid.

@jkowalleck jkowalleck mentioned this pull request Oct 2, 2024
Closed
@jkowalleck
Copy link
Member

supersedes #1222

@jkowalleck
Copy link
Member

jkowalleck commented Oct 2, 2024
edited
Loading

@ARRY7686 ,
please follow our contribution guidelines.

Please sign off your commits, to show that you agree to publish your changes under the current terms and licenses of the project , and to indicate agreement with Developer Certificate of Origin (DCO).
read more here: https://github.com/CycloneDX/cyclonedx-node-npm/blob/main/CONTRIBUTING.md#sign-off-your-commits

see instructions on how to sign-off already pushed commits here: https://github.com/CycloneDX/cyclonedx-node-npm/pull/1222/checks?check_run_id=30938492442

@jkowalleck
Copy link
Member

I am closing this pull request.

The changes do not have any effect on the code, nor do they affect the result.

@jkowalleck jkowalleck closed this Oct 2, 2024
@ARRY7686 ARRY7686 deleted the devdependies_issue_solve branch October 2, 2024 10:37
@jkowalleck
Copy link
Member

feel free to open another pull request that actually solves #1222

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat: set devDependencies component.scope to excluded
2 participants
@ARRY7686 @jkowalleck