sbom-tool icon indicating copy to clipboard operation
sbom-tool copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Dev/stage/prod dependencies

Open sachinshaji opened this issue 3 years ago • 10 comments

Is there a way to filter out dependencies? In my case I want to include only production dependencies and opt out dev/stage dependencies. Is that a possible option? I believe by default Microsoft SBOM generator will capture all dependencies and generate BOM.

sachinshaji avatar Jul 25 '22 04:07 sachinshaji

@sachinshaji You are correct, currently we don't have a way to seperate out dev/stage dependencies from production.

aasim avatar Jul 25 '22 17:07 aasim

@ksigmund , I think you work on a feature to filter our packages from SBOM specifying the exceptions in the command line, right?

edgarrs avatar Jul 26 '22 18:07 edgarrs

What I'd added was a way to specify additional arguments to component detection.

ksigmund avatar Jul 26 '22 21:07 ksigmund

@sachinshaji , would the ability to exclude folders for dependencies detection help you in this case?

edgarrs avatar Aug 02 '22 17:08 edgarrs

Sorry to say that it didn't. Our dev/stage/prod dependencies are present in a single file so the mentioned approach couldn't solve the issue. Thanks for the response

sachinshaji avatar Aug 03 '22 05:08 sachinshaji

The component detection documentation seems to suggest that test dependencies are at least flagged up at that stage as being development dependencies. Couldn't this be exposed as an argument, to respect this flag and to include or exclude them based on this? At the minute, it appears test dependencies in maven are not treated any differently and are added to the sbom.

Components tagged as a test dependency are marked as development dependencies.

https://github.com/microsoft/component-detection/blob/7537eed5e6becb8eb1dd6662e5ef6d346776b097/docs/detectors/maven.md

karlmoor-cisco avatar Aug 12 '22 12:08 karlmoor-cisco

@daneshbadlani to follow up to see if there are other component detectors other than maven that flag test or development dependencies

edgarrs avatar Aug 16 '22 17:08 edgarrs

@daneshbadlani to follow up to see if there are other component detectors other than maven that flag test or development dependencies

There appears to be an open ticket against this. I would suggest that it's the component detection projects issue and sbom-tool is aligned to that. Once that issue is resolved, it's just a case of pulling in the new version of their code.

https://github.com/microsoft/component-detection/issues/198

karlmoor-cisco avatar Aug 17 '22 08:08 karlmoor-cisco

Once component detectors adds this functionality we will prioritize the integration with the sbom tool

edgarrs avatar Aug 23 '22 17:08 edgarrs

Once component detectors adds this functionality we will prioritize the integration with the sbom tool

Would it make sense to comment on the related ticket as such. Whilst it shows a linkage, nobody will necessarily know that this is the case.

karlmoor-cisco avatar Aug 24 '22 08:08 karlmoor-cisco