Closed slayo11 closed 3 weeks ago
This is bad. I even added support for the dev
flag to the CycloneDX tool.
But we have to accept their justification: at the end the lock file format is not officially documented
and they are free to change it.
We could try to use poetry show --without dev
... but this is again a proprietary format
or maybe use poetry export -f requirements.txt --output requirements.txt --without-hashes
.
As far as I can see, -without dev
has no effect on the requirements file.
--without dev
has no effect because it's default behaviour of poetry export plugin to not include group dev
dependencies (ref)
If you try poetry export -f requirements.txt --with dev -o requirements.txt --without-hashes
then we'll obtain a requirements.txt
with both main and dev dependencies.
So if going with export plugin is the way, I think poetry export -f requirements.txt --output requirements.txt --without-hashes
is the right command
cyclonedx-python
5.1.0 still manages to exclude dev dependencies. Their trick seems to be that they also load pyproject.tom
and evaluate this file to determine the final list of dependencies.
Hello,
Starting from poetry 1.5.0 ref the "category" field based on which capycli skips dev dependency is no more part of the
poetry.lock
file. #7637This causes capycli to list all the dependencies, included dev ones, and in our projects to load also those into SW360.
I'm not so acquainted with poetry internals, but I guess that a solution would require reading the main dependencies from
pyproject.toml
file and resolving the transitive dependencies of the main dependencies from thepoetry.lock
, as by looking only at the lock file isn't enough to exclude dev dependencies.