dep-scan ASK：how to identify a component is directly or indirecty dependency?

ASK：how to identify a component is directly or indirecty dependency?

Open jackhj000 opened this issue 1 year ago • 3 comments

Just according to the value of 'scope' (required, optional) in SBOM？ is that accurate？thanks

if is_required and package_type not in config.OS_PKG_TYPES:
            package_usage = ":direct_hit: Direct usage"
            package_name_style = "[bold]"
        elif full_pkg in optional_pkgs or project_type_pkg in optional_pkgs:
            if package_type in config.OS_PKG_TYPES:
                package_usage = (
                    "[spring_green4]:notebook: Local install[/spring_green4]"
                )
                has_os_packages = True
            else:
                package_usage = (
                    "[spring_green4]:notebook: Indirect dependency[/spring_green4]"
                )
            package_name_style = "[italic]"

Jun 27 '23 10:06 jackhj000

@jackhj000 This is correct. Currently, cdxgen and other tools use/misuse the scope attribute to represent direct dependency. However, with the recent 1.5 spec we can do this cleanly with evidence and dependencies (tree).

https://cyclonedx.org/docs/1.5/json/#components_items_evidence_identity

Jun 27 '23 10:06 prabhu

thanks very much.

Jun 28 '23 06:06 jackhj000

@jackhj000 We have added the dependency tree with 4.2.0. Please take a look and let us know if it suits your use case.

Jul 02 '23 19:07 prabhu

dep-scan dep-scan copied to clipboard

ASK：how to identify a component is directly or indirecty dependency?

Just according to the value of 'scope' (required, optional) in SBOM？ is that accurate？thanks

dep-scan
dep-scan copied to clipboard