Closed josundt closed 1 month ago
As it stands, there is not a consistent way to accomplish this across languages. In addition, we believe the packages that can impact the built software, like dev dependencies, should be disclosed in the SBOM. When VEX statements are fully implemented, that will be the place to indicate if packages do not impact the built software and how that is the case.
Development time dependencies (like npm
devDependencies
) do not belong in a software bill of materials (SBOM). Such dependencies are not "materials" of the "software", but rather tools used at development/build time.Development dependencies do normally not concern external stakeholders, and it is therefore normally desirable to exclude them from a SBOM.
In my opinion, it would be most correct if
sbom-tool
excluded development dependencies by default. But that will introduce a behavioral breaking change for the tool.So I guess instead there should be a way to configure this (command line arg?)
Can you please prioritize this feature request?