Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Excluding development dependencies (e.g. npm devDependencies) #592

Closed
josundt opened this issue Jun 6, 2024 · 3 comments
Closed

Excluding development dependencies (e.g. npm devDependencies) #592

josundt opened this issue Jun 6, 2024 · 3 comments

Comments

@josundt
Copy link

josundt commented Jun 6, 2024
edited
Loading

Development time dependencies (like npm devDependencies) do not belong in a software bill of materials (SBOM).
Such dependencies are not "materials" of the "software", but rather tools used at development/build time.

Development dependencies do normally not concern external stakeholders, and it is therefore normally desirable to exclude them from a SBOM.

In my opinion, it would be most correct if sbom-tool excluded development dependencies by default.
But that will introduce a behavioral breaking change for the tool.

So I guess instead there should be a way to configure this (command line arg?)

FYI: Comparison: npm audit (which runs an npm dependency graph vulnerability scan), supports the argument --omit dev to exclude devDependencies.

Can you please prioritize this feature request?
@THEJRRR
Copy link
Collaborator

THEJRRR commented Jun 6, 2024

As it stands, there is not a consistent way to accomplish this across languages. In addition, we believe the packages that can impact the built software, like dev dependencies, should be disclosed in the SBOM. When VEX statements are fully implemented, that will be the place to indicate if packages do not impact the built software and how that is the case.

@THEJRRR THEJRRR closed this as completed Jun 6, 2024
@mvarblow
Copy link

mvarblow commented Dec 4, 2024
edited
Loading

While it's not supported for all package ecosystems, it looks like labeling dev dependencies is a feature of the Component Detection library. So I don't see how lack of support is a good reason not to include the feature. Npm is one ecosystem where it is supported. And this is the ecosystem where it's most needed (or at least requested).

https://github.com/microsoft/component-detection/blob/main/docs/feature-overview.md

FWIW, this was requested (and rejected) early on in #78. In the comments for this earlier issue, it was also pointed out that lack of component detection support seems like a bad/false reason not to implement the feature.

@ollwenjones
Copy link

I also disagree that "packages that can impact the built software" is enough of a rubric for including devDependencies cart blanch. A devDependency is often something used to assist the development of a package (e.g. express in webpack dev server), but has 0 possibility of impacting the shipped software itself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ollwenjones @THEJRRR @mvarblow @josundt