search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.7k stars 578 forks source link

Please add support for component "scope" parameter #3385

Open troy256 opened 10 months ago

troy256 commented 10 months ago

Current Behavior

When adding/editing components in DTrack, there is no ability to set a "scope" parameter. In the CycloneDX BOM format this can be set to required, optional or excluded. Without this there is no way to flag a dependency as something that is not shipped, such as runtime or development dependencies.

Proposed Behavior

I suggest implementing functionality within DTrack that recognizes and utilizes the "scope" parameter allowed in the JSON spec. This would allow us to list non-required dependencies and flag them appropriately. It will improve the accuracy of vulnerability analysis by focusing on shipping component and better align DTrack with the CycloneDX specification.

Ref: https://cyclonedx.org/docs/1.5/json/#components_items_scope

Checklist

jimklimov commented 2 weeks ago

UPDATE: https://cyclonedx.org/docs/1.6/json/#components_items_scope spec revision clarifies the meanings of accepted scope values.