Does this spec support to describe the transitivity and scope of dependencies

[WestFarmer]

In java's ecosystem, with maven as build tool.

when a project specify it depends on some libraries, those libraries can also depends on other libraries.

for example:

project P -> lib A -> lib B -> lib c

for project P, only lib A is called direct dependency, while B and C are called transitive dependencies.

and dependencies can have scope, for example a project P may depends on lib B, but only for running unit tests.

project P -> lib A 
         \-> lib B(test scope)

what's the corresponding concepts in CycloneDX specs ?

[jkowalleck]

for (transitive) dependencies, see an example here: https://cyclonedx.org/use-cases/#dependency-graph

graph TD;
    acme-app --> pkg:maven/org.acme/web-framework
    acme-app --> pkg:maven/org.acme/persistence
    pkg:maven/org.acme/web-framework --> pkg:maven/org.acme/common-util
    pkg:maven/org.acme/persistence --> pkg:maven/org.acme/common-util

Loading

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.6"
     serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
     version="1">
    <metadata>
        <!-- The component for which this BOM describes -->
        <component type="application" bom-ref="acme-app">
            <name>Acme Application</name>
            <version>9.1.1</version>
        </component>
    </metadata>
    <components>
        <component type="framework" bom-ref="pkg:maven/org.acme/web-framework@1.0.0">
            <group>org.acme</group>
            <name>web-framework</name>
            <version>1.0.0</version>
            <purl>pkg:maven/org.acme/web-framework@1.0.0</purl>
        </component>
        <component type="library" bom-ref="pkg:maven/org.acme/persistence@3.1.0">
            <group>org.acme</group>
            <name>persistence</name>
            <version>3.1.0</version>
            <purl>pkg:maven/org.acme/persistence@3.1.0</purl>
        </component>
        <component type="library" bom-ref="pkg:maven/org.acme/common-util@3.0.0">
            <group>org.acme</group>
            <name>common-util</name>
            <version>3.0.0</version>
            <purl>pkg:maven/org.acme/common-util@3.0.0</purl>
        </component>
    </components>
    <dependencies>
        <!-- Direct dependencies of the main application -->
        <dependency ref="acme-app">
            <dependency ref="pkg:maven/org.acme/web-framework@1.0.0"/>
            <dependency ref="pkg:maven/org.acme/persistence@3.1.0"/>
        </dependency>
        <!-- All other dependency relationships -->
        <dependency ref="pkg:maven/org.acme/web-framework@1.0.0">
            <dependency ref="pkg:maven/org.acme/common-util@3.0.0"/>
        </dependency>
        <dependency ref="pkg:maven/org.acme/persistence@3.1.0">
            <dependency ref="pkg:maven/org.acme/common-util@3.0.0"/>
        </dependency>
        <dependency ref="pkg:maven/org.acme/common-util@3.0.0"/>
    </dependencies>
</bom>

[jkowalleck]

for scopes, see component's scope: https://cyclonedx.org/docs/1.6/json/#components_items_scope

"required" :
The component is required for runtime

"optional" :
The component is optional at runtime. Optional components are components that are not capable of being called due to them not being installed or otherwise accessible by any means. Components that are installed but due to configuration or other restrictions are prohibited from being called must be scoped as 'required'.

"excluded" :
Components that are excluded provide the ability to document component usage for test and other non-runtime purposes. Excluded components are not reachable within a call graph at runtime.

[WestFarmer]

@jkowalleck These three cannot reflect the concept of development dependency in npm, nor the concept of test dependency in maven. Are there any plans to expand

[jkowalleck]

the concept of development dependency in npm

Development dependencies are "excluded" components. Components may also be enhanced with property cdx:npm:package:development according to https://cyclonedx.github.io/cyclonedx-property-taxonomy/cdx/npm.html
See current art here: https://github.com/CycloneDX/cyclonedx-node-npm

the concept of test dependency in maven

Test dependencies are "excluded" components.
See current art here: https://github.com/CycloneDX/cyclonedx-maven-plugin

[jkowalleck]

Are there any plans to expand

CycloneDX is a community driven standard. If there is a general need for enhancement, open an issue here: https://github.com/CycloneDX/specification/issues/new?assignees=&labels=proposed+core+enhancement&projects=&template=1-feature.md&title=%5BFEATURE%5D%3A+%3Cyour+title+here%3E