[question] test_requires in lockfile/SBOM #144
Comments
|
Thanks for your question. Do you mean the |
|
Hi @memsharded , I looked at the extension. I was wrong ;) . I thought only the info from the lockfiles was evaluated, but the extension is using the Conan graph information. In my opinion the test_requires and tool_requires should not part of the SBOM. To filter out these dependencies I would skip all item with "node.context == build" and "node.test == true". Would this be correct? |
|
So then, I'll move this ticket to the extensions repo, as this would be to discuss about the |
It would be good to have the feedback from experts, I am not sure what is the expected behavior, or maybe this should be an option for users? |
|
Maybe @jkowalleck or @hedtke have some feedback regarding this? |
|
Indeed, this detail was not considered before. They should either be ignored, or we add a new flag to add them. Do we have any favorite way here? |
|
I would prefer to ignore by default and add a flag to add them. |
|
#159 solves at least the build context part. |
|
Adding |
|
I'm on sick leave until August 2025 and will not have the time to work on this |
|
Thanks for the feedback @hedtke, I'll try to remember not to ping you, I hope everything goes well in your leave. Thanks very much for everything! |
What is your question?
test_requires packages (e.g. gtest) are entered as "requires" in the lockfiles and are therefore also part of the SBOM. I think such requires should not be included in the SBOM. Or is there any reason for this?
Have you read the CONTRIBUTING guide?
The text was updated successfully, but these errors were encountered: