-
-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#Issue 847 - Fix runtime dependencies if developer dependencies are excluded #848
base: master
Are you sure you want to change the base?
Conversation
But I have a problem with If I understand correctly, you remove all dependencies, that are only dependent on dev-dependencies. Which was actually requested here. However, at the step of gathering the dependencies the reasonable action should be, to just mark those transitive dev-dependencies as dev-dependencies. How to handle them is still open - there seem to be different opinions ranging from, they actually should be part of the SBOM (as component or as formulation), to they should be marked as |
Dear Michael, finally I applied the proposal You made, and I am now marking only dependencies to be dev dependencies instead of forcibly removing them. Actually I think, my solution also covers the problem of the mentioned case here. The serious case, because of I started to jump on the code and check how developer dependencies are handled was, that in case of we have more fine-graned control on the package assets with (ExcludeAssets,PrivateAssets,IncludeAssets)
Please would You be so kind to check again the current solution proposal?
Cases:
Really-really thanks a lot in advance! |
At the first glance it looks good. I will test the code in the weekend. I will have a few nitpicky change request regarding style. Also, I'll need you to sign-off your contribution for legal reason. I will try to get your code released quickly. Should be in the next 2 weeks, hopefully. Thanks for the contribution, especially as it took a little work off my back (there is still a lot to do for this tool). |
…xcluded. Signed-off-by: Tibor Götz <tibor.gotz.ext@siemens-healthineers.com>
Signed-off-by: Tibor Götz <tibor.gotz.ext@siemens-healthineers.com>
…y remove them. Signed-off-by: Tibor Götz <tibor.gotz.ext@siemens-healthineers.com>
d4a9cc1
to
1dbf940
Compare
Dear Michael, sorry for my limited knowledge, but please could You share with me the proposals about the style, because this case I try to commit those changes/adaptations as well. Really-really thanks a lot for Your efforts in advance! |
… the problem with privatAssets. Signed-off-by: MTsfoni <mibau89@gmail.com>
Signed-off-by: MTsfoni <mibau89@gmail.com>
Signed-off-by: MTsfoni <mibau89@gmail.com>
Hey Götz,
Private asset means to my understanding, please correct me if I am wrong, it belongs to the output of this project, but other project referring this project (via package- or projectReference) will not output this private asset. So by that understanding, generally your comment But there is an extra twist: What if the SBOM is generated for a NuGet-(library)-package? Will the private asset be part of the package or not? Because if it isn't, marking it as development dependencies would be correct again. In that cycloneDX might need a way to just mark it as a private dependency and then figure out later (maybe by the cli-arguments) if it is a dev dependency or not. So I modified the test cases and added one extra test case to your branch. Currently, on them is failing because serilog is being excluded (it appears in the /bin folder of the project). By the way: forget about the nitpicks, as I already checked the branch out, I will just do them by myself later. It's just about preference. For example, here I would just prepare a return value for more clarity instead of changing the contents of the list inside the function. |
Please see #Issue847