CycloneDX
[POETRY] option to omit dev-requirements
Hi!
I'm using this command: poetry run cyclonedx-bom -p -i poetry.lock -o cyclonedx-bom.xml --force which generates report with all requirements.
I think we need flag which disable scan of dev-requirements.
Sounds reasonable.
Pull requests are welcome. Do you want to give it a try?
Hi, I have a need which is similar but a bit different : that would be to have dev-requirements dependencies not omitted but flagged as such. May be by setting the field https://cyclonedx.org/docs/1.4/json/#components_items_scope to "optional" for dev-requirements and to "required" for others.
is there some property in CycloneDX that describes a component as a "dev-dependency"? I suppose not.
@madpah So to publish this as a custom property, it would start with a taxonomy definition. ala cdx:npm:package:development in https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/npm.md
Would it be something like that https://github.com/camillem/cyclonedx-property-taxonomy/blob/main/cdx/poetry.md ? (and should I open a new issue, as we have diverged a bit from the initial topic?)
re: https://github.com/CycloneDX/cyclonedx-python/issues/374#issuecomment-1245151046
[...] should I open a new issue [...]
yes. an own issue https://github.com/CycloneDX/cyclonedx-property-taxonomy would be good, to discuss the initial needs. The PR would then be created by the @CycloneDX/python-maintainers
and yes, an own issue regarding poetry driven properties would be good, too. - as the original request in this issue was about omitting data.
@camillem , @rugleb , the proposal was ~~made~~ merged - see https://github.com/CycloneDX/cyclonedx-property-taxonomy/pull/29
if you'd like, you could start with a implementation. or a draft, or ProveOfConcept. :-D