feat: set devDependencies component.scope to excluded#1374
feat: set devDependencies component.scope to excluded#1374AradhyaTiwari10 wants to merge 10 commits intoCycloneDX:mainfrom
component.scope to excluded#1374Conversation
Signed-off-by: AradhyaTiwari10 <[email protected]>
Signed-off-by: AradhyaTiwari10 <[email protected]>
Signed-off-by: AradhyaTiwari10 <[email protected]>
Signed-off-by: AradhyaTiwari10 <[email protected]>
…etadata Signed-off-by: AradhyaTiwari10 <[email protected]>
Signed-off-by: AradhyaTiwari10 <[email protected]>
…roducible condition Signed-off-by: AradhyaTiwari10 <[email protected]>
Signed-off-by: AradhyaTiwari10 <[email protected]>
Signed-off-by: AradhyaTiwari10 <[email protected]>
jkowalleck
changed the title
component.scope to excluded
jkowalleck
left a comment
jkowalleck
left a comment
There was a problem hiding this comment.
thank you for the feature. solution looks promising.
just some small optimizations needed, and please revert the unintended changes that were not in the ticket's scope.
| bom.metadata.tools.components.add(toolC) | ||
| } | ||
| if (!this.reproducible) { | ||
| if (this.reproducible) { |
There was a problem hiding this comment.
This seems to be an unintended change.
Please revert
| } else { | ||
| bom.serialNumber = Utils.BomUtility.randomSerialNumber() | ||
| bom.metadata.timestamp = new Date() | ||
| bom.metadata.properties.add( |
There was a problem hiding this comment.
This seems to be an unintended change.
Please revert
| } | ||
| // endregion metadata | ||
|
|
||
| // endregion metadata |
There was a problem hiding this comment.
This seems to be an unintended change.
Please revert
| PackagePrivate = 'cdx:npm:package:private', | ||
| PackageDevelopment = 'cdx:npm:package:development', | ||
| PackageInstallPath = 'cdx:npm:package:path', | ||
| BomReproducible = 'cdx:reproducible', |
There was a problem hiding this comment.
This seems to be an unintended change.
Please revert
| component.scope = Enums.ComponentScope.Excluded | ||
| } else if (isOptional) { | ||
| component.scope = Enums.ComponentScope.Optional | ||
| } else if (data.dev === true || data.devOptional === true) { |
There was a problem hiding this comment.
lets have a const for the term data.dev === true || data.devOptional === true - list like isOptional.
Could you add this const and use it where possible?
2 participants
This change updates SBOM generation to mark all components that appear only in devDependencies as "excluded", following the CycloneDX specification.
Details
Added a check for data.dev and data.devOptional flags in makeComponentWithPackageData.
Set component.scope = Enums.ComponentScope.Excluded for those components.
Ensures accurate differentiation between runtime (required) and development-only (excluded) dependencies.
Testing
All unit and integration tests pass (npm run test).
No lint errors except known deprecation warnings.
Related issue
Closes #1151