cyclonedx-maven-plugin icon indicating copy to clipboard operation
cyclonedx-maven-plugin copied to clipboard
verified publisher icon CycloneDX

Skip unwanted component from the dependencies.

Open Swapnil-CSI opened this issue 4 years ago • 3 comments

Hi Cyclonedx Team,

In our maven project, we use xxxxx as a dependency package and from that dependency package, We only use a specific part of the component but cyclonedx scan showing all the components listed in the xxxxx package and showing the CVE's for the packages which we are not using in the project.

ex:

dep1 -> dep1.1 => Showing CVE but we are not using it.
     -> dep1.2 => Showing CVE but we are not using it.
     -> dep1.3 => Using in project
     -> dep1.4 => Using in project

Is there any way to include only the packages used for the end product?

Thanks, Swapnil Bharshankar

Swapnil-CSI avatar Oct 28 '21 06:10 Swapnil-CSI

If you're not using a dependency, then you'll need to use Maven to exclude all the components. Refer to https://maven.apache.org/guides/introduction/introduction-to-optional-and-excludes-dependencies.html#dependency-exclusions

stevespringett avatar Oct 28 '21 16:10 stevespringett

I have the same requirement. We have more than one maven project, wich have dependencies among each other. I would prefer to mark my own components as proprietar or to exclude some components from bom.

One possible solution would be a maven property (like excludeArtifactId) to exclude dependencies from bom

white-speedy avatar Feb 08 '22 08:02 white-speedy

Is this the same as issue 269?

r4fterman avatar Jun 12 '23 18:06 r4fterman