microsoft / sbom-tool

The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
MIT License
1.63k stars 133 forks source link

[Microsoft.Sbom.Targets] Mark as DevelopmentDependency #714

Closed KalleOlaviNiemitalo closed 1 month ago

KalleOlaviNiemitalo commented 2 months ago

Microsoft.Sbom.Targets.csproj should set <DevelopmentDependency>true</DevelopmentDependency> so that, when dotnet add package adds the Microsoft.Sbom.Targets package to a project, the PackageReference item gets this kind of metadata by default:

    <PackageReference Include="Microsoft.Sbom.Targets" Version="2.2.8">
      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
      <PrivateAssets>all</PrivateAssets>
    </PackageReference>

Then, any NuGet package built from that project will not declare a dependency on Microsoft.Sbom.Targets. The DevelopmentDependency setting is documented in https://learn.microsoft.com/nuget/reference/msbuild-targets#pack-target and https://github.com/NuGet/Home/wiki/DevelopmentDependency-support-for-PackageReference.

DevelopmentDependency does not matter if the PackageReference is automatically added by .NET SDK as in https://github.com/dotnet/sdk/pull/43151, because dotnet add package is not used in this case; but it can be useful if the package is used with an older SDK that does not do so, or perhaps if the developer wants to use a specific version of Microsoft.Sbom.Targets instead of the SDK default.

_Originally posted by @KalleOlaviNiemitalo in https://github.com/microsoft/sbom-tool/pull/674#discussion_r1751708750 and then https://github.com/microsoft/sbom-tool/issues/693#issuecomment-2340388481_