how to exclude dependencies that have test scope from the generated sbom in a java project.

CycloneDX / cdxgen

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. GPT: https://chatgpt.com/g/g-673bfeb4037481919be8a2cd1bf868d2-cdxgen

https://cyclonedx.github.io/cdxgen/

Apache License 2.0

591 stars 158 forks source link

how to exclude dependencies that have test scope from the generated sbom in a java project. #1018

Open MohammedAziz02 opened 7 months ago

MohammedAziz02 commented 7 months ago

when I run cdxgen -t java -o artifactSBOM.json --spec-version=1.4 on a java project, it gives the message "mvn org.cyclonedx:cyclonedx-maven-plugin:2.8.0:makeAggregateBom -DoutputName=bom -DincludeTestScope=true -q -DschemaVersion=1.4", but I don't want to include the dependencies that have a test scope. how to do that ?

prabhu commented 7 months ago

export CDX_MAVEN_INCLUDE_TEST_SCOPE=false

https://github.com/CycloneDX/cdxgen/blob/17b83f9082a65da5f308df978cd0293c6a58627a/utils.js#L120

MohammedAziz02 commented 7 months ago

Thank you, please what about the others scopes : Runtime Scope, Compile Scope, Provided Scope, System Scope, if we want customize the sbom output to include only the Runtime and the compile scope?

prabhu commented 7 months ago

Use the MVN_ARGS environment variable to pass additional args.

export MVN_ARGS="-DincludeCompileScope=true -DincludeProvidedScope=false"

https://github.com/CycloneDX/cdxgen/blob/master/index.js#L1226C9-L1226C29

arkajnag23 commented 3 months ago

@prabhu Do we have these options available in API? If yes, how can we do that?