Comments (15)
@jlperkins, the use case is that you're constructing a SBOM which is meant to contain only the software dependencies which you actually distribute with your product. You use a package manager (e.g. NuGet or npm) to obtain both dependencies which ship with the product and dependencies which are used only to build your product. If the SBOM tool includes all the dependencies from the npm and nuget manifests without filtering out the dev/build dependencies, then the SBOM will be misleading. It will not accurately reflect the dependencies which are included in the product you're distributing.
from sbom-tool.
The component detection documentation seems to suggest that test dependencies are at least flagged up at that stage as being development dependencies. Couldn't this be exposed as an argument, to respect this flag and to include or exclude them based on this? At the minute, it appears test dependencies in maven
are not treated any differently and are added to the sbom.
Components tagged as a test dependency are marked as development dependencies.
from sbom-tool.
@jlperkins See my comment above. It's certainly a use case that we're very interested in. And it seems like a fairly common use case. For example, see the -omit parameter on the npm-sbom generator:
https://docs.npmjs.com/cli/v10/commands/npm-sbom#omit
Are you willing to consider reopening this issue?
from sbom-tool.
Adding to the comments above... what we're really interested in is excluding the npm devDependencies. These dependencies are used for building our web assets but are not distributed with the application. Including them in the SBOM (along with all the dependencies of the devDependencies) significantly bloats the generated SBOM with information that is, frankly, misleading/inaccurate.
from sbom-tool.
@sachinshaji You are correct, currently we don't have a way to seperate out dev/stage dependencies from production.
from sbom-tool.
@ksigmund , I think you work on a feature to filter our packages from SBOM specifying the exceptions in the command line, right?
from sbom-tool.
What I'd added was a way to specify additional arguments to component detection.
from sbom-tool.
@sachinshaji , would the ability to exclude folders for dependencies detection help you in this case?
from sbom-tool.
Sorry to say that it didn't. Our dev/stage/prod dependencies are present in a single file so the mentioned approach couldn't solve the issue.
Thanks for the response
from sbom-tool.
@daneshbadlani to follow up to see if there are other component detectors other than maven that flag test or development dependencies
from sbom-tool.
@daneshbadlani to follow up to see if there are other component detectors other than maven that flag test or development dependencies
There appears to be an open ticket against this. I would suggest that it's the component detection projects issue and sbom-tool
is aligned to that. Once that issue is resolved, it's just a case of pulling in the new version of their code.
microsoft/component-detection#198
from sbom-tool.
Once component detectors adds this functionality we will prioritize the integration with the sbom tool
from sbom-tool.
Once component detectors adds this functionality we will prioritize the integration with the sbom tool
Would it make sense to comment on the related ticket as such. Whilst it shows a linkage, nobody will necessarily know that this is the case.
from sbom-tool.
I see that the component-detection library has a feature they call "development dependencies labeling". And it is implemented for several of the detectors, including npm.
https://github.com/microsoft/component-detection/blob/main/docs/feature-overview.md
Could this be used to exclude npm "devDependencies"? It seems like that would be necessary to get useful output from sbom-tool. This is all we're currently lacking to filter out dev dependencies. Or can it already be done?
from sbom-tool.
Current SBOM team is unaware of a use case where we want to filter anything out of an SBOM. More information needed to reasses.
from sbom-tool.
Related Issues (20)
- [Discussion] CycloneDX
- [Discussion] Internet Access Required?
- [Discussion] Types of project files supported by sbom-tool
- [Discussion] Error while generating SBOM
- [Discussion] How to make sbom tool generate build aware sbom for a gradle project
- [Discussion] Welcome to sbom-tool Discussions!
- [Discussion] Is there any intention of adding sample instructions on how to use this tool in your CI/CD on bitbucket?
- [Discussion] License fields
- unexpected input argument will prompt --help but exit_code still be 0 HOT 2
- Improve error when BuildDropPath is a file HOT 1
- Handle filename collisions in validation HOT 1
- SBOM package detector warning. HOT 1
- Bug in `-mi` option and invalid SBOMConfig HOT 1
- SBOM Validation - couldn't find a sign validator for the current OS
- Does this work on Visual Basic 6.0 app? HOT 4
- SPDX version 2.3 support HOT 5
- Update version of tool winget points to HOT 12
- 2.2.5 release was not completed HOT 2
- sbom-tools dosn't run on kali linux HOT 1
- ","licenseDeclared":"MIT","filesAnalyzed":false,"supplier":"NOASSERTION","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:github/Satanplay/Satellite-servillance-"}]}],"relationships":[]}
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sbom-tool.