DependencyTrack
Allow filtering for internal components in SBOM export
Current Behavior
Currently when doing an SBOM Export all project components are included in the export.
However DT has an attribute of components identifying them as being internal.
In some contexts it makes most sense to exclude such components from the SBOM. E.g. when providing the SBOM for OSS component License Validation by the legal department. In other contexts where the SBOM is intended to declare OSS components and not list any vendor proprietary components.
Proposed Behavior
We suggest that a variant of the SBOM export function is added where the SBOM does not include the components marked Internal.
Checklist
- [X] I have read and understand the contributing guidelines
- [X] I have checked the existing issues for whether this enhancement was already requested
Great suggestion!
Some additional notes:
- Excluding components may break the dependency graph
- The omission of components must be communicated in the BOM, e.g. by:
- Adding a property that states that internal components are not includded
- Using compositions to express completeness
Maybe as an alternative somehow the internal components could be marked using the author, publisher or some other field. Just to ensure that the information that a module is internal is somehow available in the export.