feat: Only fetching first level of dependencies

[benno85]

Is your feature request related to a problem? Please describe.

As stated in the docs and the source code this project always fetches all npm packages via the "npm ls" command. Therefore it is executed with "npm ls -all" (i left out the other parametes here for better understanding)

What i would like to have is an option to create the SBOM only with the packages listed in package.json file. Basically just the first level of dependencies.

Describe the solution you'd like

Add an additional parameter e.g. "--only-first-level-dependencies" to call "npm ls" without the --depth parameter or set to 1 to fetch only the first level of dependencies/packages.

Default of the parameter can be false so it will by default fetch all dependencies and only if you are configuring it you can limit the fetching.

Describe alternatives you've considered

none. i think this the nicest approach

Additional context

Add any other context or screenshots about the feature request here.

[jkowalleck]

To tailor a solution that fits more than one person/organization, could you help me understand the needs, boundaries and scope?

Question: why only a depth of 1? Why to exclude all the transitive dependencies?
Are there cases where the depth should be 2, or maybe 5 ?

You might be aware that a CycloneDX document that does not include transitive dependencies and nothing that is actually present in an environment, that such a document is not considered an SBOM by most definitions.
Question: Who is the receiver of such a document and what are their intended use cases?

[benno85]

For OSS clearing reasons, we have to upload our used packages to a platform where the clearing team can then start their processes to check, for example, if licenses are fulfilled.

For reasons I am not aware of, it is only necessary to upload the first level, not the transitive dependencies. We are trying to automate this process via the API of the platform and the interface is demanding the SBOM format.

Currently, from my point of view, there is no need to set the depth individually. However, this would increase flexibility. But also, as you stated, without the transitive dependencies, the resulting document is not an SBOM by definition. That was the reason I suggested the two "extremes" for generating the document: either complete or just the first level.

I hope this was a useful explanation of the topic.

[jkowalleck]

Thank you for clarification. I understand your position.

The SBOM that is produced by this tool includes a dependency graph that is rooted on the primary component.

The current structures generated by this tool should enable your clearing team to do the needed processing - it probably saves them work, though they did not disclose this to you. :-)
If your business processes require any post-processing, then I suggest you build an own pipeline adhering to the specific business processes of your organization. Programmatically filtering certain parts of an SBOM based on the dependency graph should be no issue.
(the XML could probably worked trough XSLT processing to filter the SBOM, while JSON might be processed by jq to filter out any transitive dependencies)

[benno85]

Ok i will try it like you suggested.

[jkowalleck]

I will leave this feature request open, so we could track/discuss the general demand and requirements, continue discussions of possible implementations and implications.

[jkowalleck]

this feature should be solved with #1259