CycloneDX
Scope property is always being set to required
In my project I have a number of packagereference which has the privateAssets/excludedAssets property set to all yet when I look at the bom which is generated it has the scope property set to required for all components.
This issue is stale because it has been open for 3 months with no activity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
#847 and #848 basically has the solution to the problem that we discussed regarding figuring out what is a dev dependency and what not. Unfortunately, the PR is like 90% done, if is recall correctly.
After that, I planned to introduce an enum CLI-argument, so users can decide how to handle dev dependencies. Options would be so far:
- Completely excluded from SBOM (this might be the default option for now)
- Marked with Scope-Excluded
- Regularly Included
After checking with different people in the CycloneDX core group, I got different answers how to handle dev-dependencies and what e.g. excluded scope is meant for (Somewhere it said for components that must be added to the scope of delivery). Hence, I just want to give the full control about that to the user.
Unfortunately, I'm busy with updating the cdx-dotnet-library to version 1.6 before I can put a lot of time into the tool again. Maybe check out said PR and see what it still needs to be finished? I think it was just minor details there.
Ok thanks for the update @mtsfoni I might see if I can determine what is outstanding to help it along.
This issue is stale because it has been open for 3 months with no activity.