Open dkoerner-festo opened 1 month ago
memsharded
commented
1 month ago Hi @dkoerner-festo
Thanks for your question.
Do you mean the conan sbom:cyclonedx extension command? this is not related to lockfiles, that would be a different thing, maybe we need to move this ticket to the https://github.com/conan-io/conan-extensions repo?
dkoerner-festo
commented
1 month ago Hi @memsharded ,
I looked at the extension. I was wrong ;) . I thought only the info from the lockfiles was evaluated, but the extension is using the Conan graph information.
In my opinion the test_requires and tool_requires should not part of the SBOM. To filter out these dependencies I would skip all item with "node.context == build" and "node.test == true". Would this be correct?
memsharded
commented
1 month ago So then, I'll move this ticket to the extensions repo, as this would be to discuss about the conan sbom: extension command. Thanks!
memsharded
commented
1 month ago In my opinion the test_requires and tool_requires should not part of the SBOM. To filter out these dependencies I would skip all item with "node.context == build" and "node.test == true". Would this be correct?
It would be good to have the feedback from experts, I am not sure what is the expected behavior, or maybe this should be an option for users?
memsharded
commented
1 month ago Maybe @jkowalleck or @hedtke have some feedback regarding this?
hedtke
commented
1 month ago Indeed, this detail was not considered before. They should either be ignored, or we add a new flag to add them. Do we have any favorite way here?
dkoerner-festo
commented
4 days ago I would prefer to ignore by default and add a flag to add them.
What is your question?
test_requires packages (e.g. gtest) are entered as "requires" in the lockfiles and are therefore also part of the SBOM. I think such requires should not be included in the SBOM. Or is there any reason for this?
Have you read the CONTRIBUTING guide?