Have a query deps(...) mode that ignores data dependencies

[sfc-gh-sgiesecke]

Description of the feature request:

When running bazel query deps(some-target), the result includes data dependencies and their transitive dependencies. I would like to ignore/exclude data dependencies.

What underlying problem are you trying to solve with this feature?

I am only interested in the libraries that are linked into some-target. Ultimately I want to assert that the set of of libraries linked into some-target does not include certain libraries.

Which operating system are you running Bazel on?

Linux

What is the output of bazel info release?

6.2.0

If bazel info release returns development version or (@non-git), tell us how you built Bazel.

No response

What's the output of git remote get-url origin; git rev-parse master; git rev-parse HEAD ?

No response

Have you found anything relevant by searching the web?

15017 is loosely related, but it's not about querying, but about whether data dependencies are built when building the target that specifies them.

Any other information, logs, or outputs that you want to share?

No response

[sfc-gh-sgiesecke]

@Pavank1992 I don't think this relates to external dependencies.

[aiuto]

I understand the need, but don't think a simple flag (similar to --notool_deps) is sufficient.

I'm coming at this from the question of producing viable SBOMs for built artifacts. Towards that end, we'll need to be able to ask about different types of artifacts. It is not just "data", but there are many kinds of data. For example

• Images and help text
• Configuration files which are distributed with an app but the user is expected to edit
• Data files which drive an interpreter that is the binary
• .sig files which are data for the package, but are not actually part of the binary artifact

In the future, we're going to be asked to be able to make those distinctions clear. My thinking of late has been that

• rule authors should be able to mark rule attribute definitions with the type of relationship (tool, runtime data, other kinds of data).
• *query, rule impls and aspect evaluation should be able to examine these annotations and filter/change behavior based on that.

While we are discussing this, let's open up the conversation. Is it really about data, or are you looking to filter query results based on what is linked into a binary vs. what is a runtime dep in general? #15017 talked about "data", but I think the real need was build time vs. execution time.

[sfc-gh-sgiesecke]

are you looking to filter query results based on what is linked into a binary vs. what is a runtime dep

Yes, I think that's the distinction we need. Data dependencies were just the most problematic ones, because they are also built from code from our own codebase, and once they get merged in the query result we can't tell that apart from code that is linked into the binary at hand.

[aiuto]

Is it really the data deps you want to prune or would pruning the tools that build the data work?

You could use Bazel cquery --notool_deps --noplicit_deps ...

On Thu, Oct 26, 2023, 3:12 PM Simon Giesecke @.***> wrote:

are you looking to filter query results based on what is linked into a binary vs. what is a runtime dep

Yes, I think that's the distinction we need. Data dependencies were just the most problematic ones, because they are also built from code from our own codebase, and once they get merged in the query result we can't tell that apart from code that is linked into the binary at hand.

— Reply to this email directly, view it on GitHub https://github.com/bazelbuild/bazel/issues/18655#issuecomment-1781097608, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXHHHDKSLRROQNIREKLCG3YBJOUDAVCNFSM6AAAAAAZE2TMQGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOBRGA4TONRQHA . You are receiving this because you commented.Message ID: @.***>

[sfc-gh-sgiesecke]

Is it really the data deps you want to prune

Yes. Another binary is a data dependency. The tools that built it don't matter much, they could easily be filtered out.

[aiuto]

LOL... I did not see that I already answered this in August. It's still the same. You can probably write an aspect that will do what you want.

[guw]

@aiuto I have a requirement to filter runtime dependencies from the result. I am analyzing Java dependency use and I don't care about runtime_deps but deps.

Interestingly but not related to this issue (but similar problem), there are uses where I want to disallow compile time use but not runtime use, i.e. don't allow visibility for deps but allow visibility for runtime_deps.