ASK：how to identify a component is directly or indirecty dependency?

[jackhj000]

Just according to the value of 'scope' (required, optional) in SBOM？ is that accurate？thanks

if is_required and package_type not in config.OS_PKG_TYPES:
            package_usage = ":direct_hit: Direct usage"
            package_name_style = "[bold]"
        elif full_pkg in optional_pkgs or project_type_pkg in optional_pkgs:
            if package_type in config.OS_PKG_TYPES:
                package_usage = (
                    "[spring_green4]:notebook: Local install[/spring_green4]"
                )
                has_os_packages = True
            else:
                package_usage = (
                    "[spring_green4]:notebook: Indirect dependency[/spring_green4]"
                )
            package_name_style = "[italic]"

[prabhu]

@jackhj000 This is correct. Currently, cdxgen and other tools use/misuse the scope attribute to represent direct dependency. However, with the recent 1.5 spec we can do this cleanly with evidence and dependencies (tree).

https://cyclonedx.org/docs/1.5/json/#components_items_evidence_identity

[jackhj000]

thanks very much.

[prabhu]

@jackhj000 We have added the dependency tree with 4.2.0. Please take a look and let us know if it suits your use case.