feat: mark Poetry's dev-dependencies component.scope
as "excluded"
#675
Labels
enhancement
New feature or request
good first issue
Good for newcomers
help wanted
Extra attention is needed
source: poetry
Is your feature request related to a problem? Please describe.
Per CycloneDX specification, the components' scope means
Current implementation does not set any scope, meaning the fallback to "required".
for dev-dependencies this would be wrong.
From a Poetry lock file, it is possible to determine whether a component is a runtime-dependency.
Describe the solution you'd like
for Poetry lock file analysis results:
mark all components, that are dev-dependencies only, as "excluded" in the resulting SBOM.
Describe alternatives you've considered
none
Additional context
Add any other context or screenshots about the feature request here.
The text was updated successfully, but these errors were encountered: