Arg `--required-only` ignored

CycloneDX / cdxgen

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server.

https://cyclonedx.github.io/cdxgen/

Apache License 2.0

534 stars 158 forks source link

Arg `--required-only` ignored #1259

Closed heubeck closed 1 month ago

heubeck commented 1 month ago

At least for maven projects, the --required-only arg is ignored.

Would expect it to have higher precedence than the env var.

prabhu commented 1 month ago

@heubeck the flag is used by postgen to filter the BOM regardless of package type. Can you inspect the bom?

prabhu commented 1 month ago

@heubeck any luck?

heubeck commented 1 month ago

Unfortunately not. Test-scoped dependencies are not filtered, but they're are contained even in the default settings sbom as required...

Ok, the maven plugin doesn't out scope: test - it just omits test dependencies when not -DincludeTestScope=true. So that's not cdxgen - but maybe cdxgen can override CDX_MAVEN_INCLUDE_TEST_SCOPE when --required-only?

for the record:

CDX_MAVEN_INCLUDE_TEST_SCOPE=true cdxgen --spec-version 1.5 -o include-test-and-rqeuired-only-sbom.json --required-only: include-test-and-rqeuired-only-sbom.json

cdxgen --spec-version 1.5 -o required-only-sbom.json --required-only: required-only-sbom.json

CDX_MAVEN_INCLUDE_TEST_SCOPE=false cdxgen --spec-version 1.5 -o exclude-test-only-sbom.json: exclude-test-only-sbom.json

cdxgen --spec-version 1.5 -o default-sbom.json: default-sbom.json

prabhu commented 1 month ago

Thanks for the detailed report. Could you also repeat by setting the environment variable PREFER_MAVEN_DEPS_TREE=true?

heubeck commented 1 month ago

ok, cool stuff, thx @prabhu.

mvn deps tree made it work as expected. so maybe it's time to use it ;)

PREFER_MAVEN_DEPS_TREE=true CDX_MAVEN_INCLUDE_TEST_SCOPE=true cdxgen --spec-version 1.5 -o include-test-deps-tree-required-only-sbom.json --required-only: include-test-deps-tree-required-only-sbom.json

PREFER_MAVEN_DEPS_TREE=true cdxgen --spec-version 1.5 -o deps-tree-required-only-sbom.json --required-only: deps-tree-required-only-sbom.json

PREFER_MAVEN_DEPS_TREE=true CDX_MAVEN_INCLUDE_TEST_SCOPE=false cdxgen --spec-version 1.5 -o include-test-deps-tree-no-required-only-sbom.json: include-test-deps-tree-no-required-only-sbom.json

PREFER_MAVEN_DEPS_TREE=true cdxgen --spec-version 1.5 -o deps-tree-no-required-only-sbom.json: deps-tree-no-required-only-sbom.json