Excluding development dependencies (e.g. npm devDependencies)

[josundt]

Development time dependencies (like npm devDependencies) do not belong in a software bill of materials (SBOM). Such dependencies are not "materials" of the "software", but rather tools used at development/build time.

Development dependencies do normally not concern external stakeholders, and it is therefore normally desirable to exclude them from a SBOM.

In my opinion, it would be most correct if sbom-tool excluded development dependencies by default. But that will introduce a behavioral breaking change for the tool.

So I guess instead there should be a way to configure this (command line arg?)

FYI: Comparison: npm audit (which runs an npm dependency graph vulnerability scan), supports the argument --omit dev to exclude devDependencies.

Can you please prioritize this feature request?

[THEJRRR]

As it stands, there is not a consistent way to accomplish this across languages. In addition, we believe the packages that can impact the built software, like dev dependencies, should be disclosed in the SBOM. When VEX statements are fully implemented, that will be the place to indicate if packages do not impact the built software and how that is the case.