Closed heubeck closed 1 month ago
@heubeck the flag is used by postgen to filter the BOM regardless of package type. Can you inspect the bom?
@heubeck any luck?
Unfortunately not.
Test-scoped dependencies are not filtered, but they're are contained even in the default settings sbom as required
...
Ok, the maven plugin doesn't out scope: test
- it just omits test dependencies when not -DincludeTestScope=true
.
So that's not cdxgen - but maybe cdxgen can override CDX_MAVEN_INCLUDE_TEST_SCOPE when --required-only
?
for the record:
CDX_MAVEN_INCLUDE_TEST_SCOPE=true cdxgen --spec-version 1.5 -o include-test-and-rqeuired-only-sbom.json --required-only
:
include-test-and-rqeuired-only-sbom.json
cdxgen --spec-version 1.5 -o required-only-sbom.json --required-only
:
required-only-sbom.json
CDX_MAVEN_INCLUDE_TEST_SCOPE=false cdxgen --spec-version 1.5 -o exclude-test-only-sbom.json
:
exclude-test-only-sbom.json
cdxgen --spec-version 1.5 -o default-sbom.json
:
default-sbom.json
Thanks for the detailed report. Could you also repeat by setting the environment variable PREFER_MAVEN_DEPS_TREE=true
?
ok, cool stuff, thx @prabhu.
mvn deps tree made it work as expected. so maybe it's time to use it ;)
PREFER_MAVEN_DEPS_TREE=true CDX_MAVEN_INCLUDE_TEST_SCOPE=true cdxgen --spec-version 1.5 -o include-test-deps-tree-required-only-sbom.json --required-only
:
include-test-deps-tree-required-only-sbom.json
PREFER_MAVEN_DEPS_TREE=true cdxgen --spec-version 1.5 -o deps-tree-required-only-sbom.json --required-only
:
deps-tree-required-only-sbom.json
PREFER_MAVEN_DEPS_TREE=true CDX_MAVEN_INCLUDE_TEST_SCOPE=false cdxgen --spec-version 1.5 -o include-test-deps-tree-no-required-only-sbom.json
:
include-test-deps-tree-no-required-only-sbom.json
PREFER_MAVEN_DEPS_TREE=true cdxgen --spec-version 1.5 -o deps-tree-no-required-only-sbom.json
:
deps-tree-no-required-only-sbom.json
At least for maven projects, the
--required-only
arg is ignored.Would expect it to have higher precedence than the env var.