Dev/stage/prod dependencies about sbom-tool HOT 15 CLOSED

@jlperkins, the use case is that you're constructing a SBOM which is meant to contain only the software dependencies which you actually distribute with your product. You use a package manager (e.g. NuGet or npm) to obtain both dependencies which ship with the product and dependencies which are used only to build your product. If the SBOM tool includes all the dependencies from the npm and nuget manifests without filtering out the dev/build dependencies, then the SBOM will be misleading. It will not accurately reflect the dependencies which are included in the product you're distributing.

from sbom-tool.

The component detection documentation seems to suggest that test dependencies are at least flagged up at that stage as being development dependencies. Couldn't this be exposed as an argument, to respect this flag and to include or exclude them based on this? At the minute, it appears test dependencies in maven are not treated any differently and are added to the sbom.

Components tagged as a test dependency are marked as development dependencies.

https://github.com/microsoft/component-detection/blob/7537eed5e6becb8eb1dd6662e5ef6d346776b097/docs/detectors/maven.md

from sbom-tool.

@jlperkins See my comment above. It's certainly a use case that we're very interested in. And it seems like a fairly common use case. For example, see the -omit parameter on the npm-sbom generator:

https://docs.npmjs.com/cli/v10/commands/npm-sbom#omit

Are you willing to consider reopening this issue?

from sbom-tool.

Adding to the comments above... what we're really interested in is excluding the npm devDependencies. These dependencies are used for building our web assets but are not distributed with the application. Including them in the SBOM (along with all the dependencies of the devDependencies) significantly bloats the generated SBOM with information that is, frankly, misleading/inaccurate.

from sbom-tool.

@sachinshaji You are correct, currently we don't have a way to seperate out dev/stage dependencies from production.

from sbom-tool.

@ksigmund , I think you work on a feature to filter our packages from SBOM specifying the exceptions in the command line, right?

from sbom-tool.

What I'd added was a way to specify additional arguments to component detection.

from sbom-tool.

@sachinshaji , would the ability to exclude folders for dependencies detection help you in this case?

from sbom-tool.

Sorry to say that it didn't. Our dev/stage/prod dependencies are present in a single file so the mentioned approach couldn't solve the issue.
Thanks for the response

from sbom-tool.

@daneshbadlani to follow up to see if there are other component detectors other than maven that flag test or development dependencies

from sbom-tool.

@daneshbadlani to follow up to see if there are other component detectors other than maven that flag test or development dependencies

There appears to be an open ticket against this. I would suggest that it's the component detection projects issue and sbom-tool is aligned to that. Once that issue is resolved, it's just a case of pulling in the new version of their code.

microsoft/component-detection#198

from sbom-tool.

Once component detectors adds this functionality we will prioritize the integration with the sbom tool

from sbom-tool.

Once component detectors adds this functionality we will prioritize the integration with the sbom tool

Would it make sense to comment on the related ticket as such. Whilst it shows a linkage, nobody will necessarily know that this is the case.

from sbom-tool.

I see that the component-detection library has a feature they call "development dependencies labeling". And it is implemented for several of the detectors, including npm.

https://github.com/microsoft/component-detection/blob/main/docs/feature-overview.md

Could this be used to exclude npm "devDependencies"? It seems like that would be necessary to get useful output from sbom-tool. This is all we're currently lacking to filter out dev dependencies. Or can it already be done?

from sbom-tool.

Current SBOM team is unaware of a use case where we want to filter anything out of an SBOM. More information needed to reasses.

from sbom-tool.