Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Support for CycloneDX Scope Data #4647

Open
2 tasks done
VinodAnandan opened this issue Feb 13, 2025 · 0 comments
Open
2 tasks done

Feature Request: Support for CycloneDX Scope Data #4647

VinodAnandan opened this issue Feb 13, 2025 · 0 comments
Labels
enhancement New feature or request help wanted Extra attention is needed p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort

Comments

@VinodAnandan
Copy link
Contributor

Current Behavior

Summary
CycloneDX provides component scope data ( https://cyclonedx.org/docs/1.6/json/#components_items_scope ), which indicates whether a component is required, optional or excluded. This data can be used to classify development and other optional dependencies, enhancing transparency while allowing them to be segregated from other scopes.

Problem Statement
Currently, Dependency-Track does not utilise scope data from CycloneDX SBOMs. This omission may lead users to generate SBOMs that exclude optional dependencies, potentially creating a false sense of security and reducing overall transparency.

Proposed Behavior

Proposed Solution

MVP Implementation

  • Store component scope data from CycloneDX SBOMs.
  • Display scope information in the UI to help users make informed decisions.

Future Enhancements

  • Integrate scope data into policy enforcement and notifications, allowing users to leverage it for advanced use cases.

Checklist
@VinodAnandan VinodAnandan added the enhancement New feature or request label Feb 13, 2025
@nscuro nscuro added p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort labels Feb 13, 2025
@VinodAnandan VinodAnandan added the help wanted Extra attention is needed label Feb 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nscuro @VinodAnandan