Should `build-public` delete nested components?

[mmarseu]

The build-public command deletes components which are valid according a user-supplied JSON schema. It also deletes all components nested under the deleted component even if those don't match the schema.

Up to now I hadn't given this much thought. I believed it to be intentional. But now I'm reconsidering, because from the point of view of the SBOM consumer, this defeats the SBOMs purpose.

I believe the intention behind build-public's ability to delete entire components is to hide structural or architectural details in the SBOM which are not useful to an authorized consumer and might be considered sensitive by the manufacturer. That's all good. In any case, for vulnerability or license management, this isn't going to make a difference. But non-internal components aggregated under the internal components are still part of the product and they are absolutely important for those use cases.

What do you think? Should build-public be changed to move nested components to the parent of the deleted component?

[CBeck-96]

I would agree, this rearangement (like with dependencies) seems more appropriate.