cyclonedx-maven-plugin icon indicating copy to clipboard operation
cyclonedx-maven-plugin copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Option to ignore optional dependencies

Open anderius opened this issue 2 years ago • 3 comments

The following dependency is not included in the produced artifact, and it would be nice if it was not included in the sbom. At least some way to disable that inclusion:

    <dependency>
      <groupId>sample.ProjectA</groupId>
      <artifactId>Project-A</artifactId>
      <version>1.0</version>
      <scope>compile</scope>
      <optional>true</optional>
    </dependency>

anderius avatar Feb 09 '23 13:02 anderius

On a related note: why aren't optional dependencies marked with a scope of optional in the generated SBOM?

norrisjeremy avatar Feb 16 '23 11:02 norrisjeremy

On a related note: why aren't optional dependencies marked with a scope of optional in the generated SBOM?

IIUC, current SBOM scope is not taken from Maven POM but from project dependency used/unused analysis: see #65

hboutemy avatar Feb 26 '23 16:02 hboutemy

FYI #314 should address the question about scope, shifting the determination to rely on the maven understanding of optional

knrc avatar May 08 '23 17:05 knrc