Open
Description
Is your feature request related to a problem? Please describe.
if i build a SBOM for a library, i do not want to have non-bundled component listed as if they were concrete.
These dependencies are extraneous/"external" and the version of them is not clear - it is resolved on install-time .
Also, transitive dependencies of those are not clear until install-time.
This should be reflected in the SBOM.
Describe the solution you'd like
Spec: CycloneDX/specification#321
add a n option to have
- only the bundled dependencies and the direct dependencies as components in the SBOM result.
- non-bundled' components must have no version.
- non-bundled's components must have a version range - specification#321
- non-bundled are marked as "external" - specification#321
option could be called (list of ideas)
--library-mode--mark-extraneous/--mark-externals--bundled-only- add your idea in the comments
new option MUST imply --omit dev
new option MUST be disabled bu default
new option MUST be marked as experimental in help page
new option might set `--mc-type=library'
Describe alternatives you've considered
- we could make it, so that the existing option `--mc-type=library' causes this behaviour by default, but that would be a breaking change
Additional context
for libraries, non-bundled components are "external" - this is discussed in specification#321
package.json knows the concept of
dependenciesbundleDependencies- definitely shippedpeerDependencies- definitely external- they can be optional, in addition. example:
"peerDependenciesMeta": { "webpack-cli": { "optional": true } }
- they can be optional, in addition. example:
devDependencies- no intention to be shipped.
might shadow all of the above on build-time
Contribution
- I am willing to provide an implementation
- I will wait until somebody else implements it