kzantow
commented
3 days ago Hi @merlin-uk -- could you expand on this request? I don't think we could build a dependency tree strictly based on file paths. Are you referring to Java, specifically? If so, I don't think we can use the JAR nesting to build a dependency graph, either, necessarily. We could probably use this to make CONTAINS relationships, but I don't believe this would accomplish what you are asking for, as this is different than a dependency relationship, and would not show up in CycloneDX dependencies. We would definitely need a bit more information to understand exactly what the use case you are trying to solve is here, if you could expand on this some.
What would you like to be added: We would like the Dependencies section to be added to the bottom of the SBOM. Why is this needed: SBOMs need to have a Dependencies section to be valid. Additional context; The VirtualPath which is created under each Property section can be used to build a Dependencies section.