Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Scope property is always being set to required #843

Open
thompson-tomo opened this issue Jan 28, 2024 · 8 comments · May be fixed by #844
Open

Scope property is always being set to required #843

thompson-tomo opened this issue Jan 28, 2024 · 8 comments · May be fixed by #844
Labels
bug Something isn't working

Comments

@thompson-tomo
Copy link

In my project I have a number of packagereference which has the privateAssets/excludedAssets property set to all yet when I look at the bom which is generated it has the scope property set to required for all components.

@github-actions github-actions bot added the triage Don't know what to do with this yet label Jan 28, 2024
@mtsfoni mtsfoni linked a pull request Jan 28, 2024 that will close this issue
@mtsfoni mtsfoni added bug Something isn't working and removed triage Don't know what to do with this yet labels Jan 28, 2024
Copy link

This issue is stale because it has been open for 3 months with no activity.

@github-actions github-actions bot added the stale label Apr 28, 2024
@thompson-tomo
Copy link
Author

@mtsfoni how is this progressing?

@mtsfoni
Copy link
Contributor

mtsfoni commented Apr 28, 2024

#847 and #848 basically has the solution to the problem that we discussed regarding figuring out what is a dev dependency and what not. Unfortunately, the PR is like 90% done, if is recall correctly.

After that, I planned to introduce an enum CLI-argument, so users can decide how to handle dev dependencies.
Options would be so far:

  • Completely excluded from SBOM (this might be the default option for now)
  • Marked with Scope-Excluded
  • Regularly Included

After checking with different people in the CycloneDX core group, I got different answers how to handle dev-dependencies and what e.g. excluded scope is meant for (Somewhere it said for components that must be added to the scope of delivery). Hence, I just want to give the full control about that to the user.

Unfortunately, I'm busy with updating the cdx-dotnet-library to version 1.6 before I can put a lot of time into the tool again.
Maybe check out said PR and see what it still needs to be finished? I think it was just minor details there.

@thompson-tomo
Copy link
Author

Ok thanks for the update @mtsfoni I might see if I can determine what is outstanding to help it along.

@github-actions github-actions bot removed the stale label May 5, 2024
Copy link

github-actions bot commented Aug 4, 2024

This issue is stale because it has been open for 3 months with no activity.

@github-actions github-actions bot added the stale label Aug 4, 2024
@thompson-tomo
Copy link
Author

Still awaiting for solution

@github-actions github-actions bot removed the stale label Aug 11, 2024
Copy link

This issue is stale because it has been open for 3 months with no activity.

@github-actions github-actions bot added the stale label Nov 10, 2024
@thompson-tomo
Copy link
Author

Still relevant

@github-actions github-actions bot removed the stale label Nov 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants