required-only means no dependencies?

[prabhu]

Discussed in #460

^{Originally posted by malice00 August 13, 2023}
I was working on some issues, when I found the following pieces of code:

cdxgen/index.js

Line 953 in c3c1d95

const dependencies = !options.requiredOnly ? context.dependencies || [] : [];

and

cdxgen/index.js

Lines 1230 to 1236 in c3c1d95

	if (bomJsonObj.dependencies && !options.requiredOnly) {
	dependencies = mergeDependencies(
	dependencies,
	bomJsonObj.dependencies,
	parentComponent
	);
	}

With some testing, it indeed seems that when I run cdxgen with --required-only, no dependencies are added to the SBOM, so no dependency-tree will be available in tools like dependency-track...

Is this intentional? If so, what is the reason to not generate the dependencies?

I have to admit, for my project it doesn't matter if I use --required-only or not, but I would prefer it to work the same either way.

[countfnx]

This issue also applies for JS/TS projects with npm packages. If "--required-only" is set, no dependencies and no devDependencies will be contained in the sbom file.
I looked a little bit into the source code and you already flag the dependencies in the utils.js whether they are optional
const scope = node.dev === true ? "optional" : undefined;

This scope property should somehow be considered when you do the following in the index.js:
const dependencies = !options.requiredOnly ? context.dependencies || [] : [];

[ansonallard]

I would like to "plus 1" on this issue. We are building SBOMs using the required only field, and would still like a dependency output to construct a dependency graph.

[prabhu]

@ansonallard @countfnx could you kindly test the PR #634

[ansonallard]

I was able to test the PR and the dependencies output appears to be correct. When I uploaded the resulting CycloneDX 1.4 schema to dependency track, it was not able to generate a dependency graph, so I am actively investigating what is going on there. Dependency track is able to generate a dependency graph for cyclone dx files that do not make use of the --required-only parameter. I'm not sure if the error is on the dependency track side or an issue with the SBOM generation. I'll let you know of my findings.

[prabhu]

@ansonallard, does cdxgen print the tree with -p? Dependency Track seems to be looking for a perfect tree which is harder and work-in-progress. In contrast, tools like depscan are working with multiple dangling trees from cdxgen.

[ansonallard]

cdxgen does print a tree with the -p option. When you say a perfect tree, do you mean a tree with only one root node and no detached nodes (nodes that are not a part of the tree)?

[prabhu]

btw, if anyone wants to view the tree for an existing sbom use the cdxi repl command.

cdxi <bom json>

tree

More docs on the REPL mode here

https://cyclonedx.github.io/cdxgen/#/?id=advanced-usage

[countfnx]

@ansonallard @countfnx could you kindly test the PR #634

Yes, I did test it on two projects and it seems to work correctly! Good job, thanks :)!

Is it also somehow possible to have only the top-level references in the SBOM without the transitive ones?

[prabhu]

@ansonallard @countfnx could you kindly test the PR #634

Yes, I did test it on two projects and it seems to work correctly! Good job, thanks :)!

Is it also somehow possible to have only the top-level references in the SBOM without the transitive ones?

Could you try the various filters from the docs?

https://cyclonedx.github.io/cdxgen/#/ADVANCED?id=filtering-components

[countfnx]

Unfortunately I didn't find any possibility. According to the Advanced.md documentation it says regarding the --required-only flag: "These are usually considered direct dependencies."
I think this doesn't work probably because you parse the package-lock.json, which contains all dependencies, even the sub dependencies.

[prabhu]

Can you try it? The scope attribute gets set after a usage analysis.

[countfnx]

Yes ,I tried the "--required-only" flag. It gives me all dependencies without the devDependencies, but with all subdependencies.
Example: Generating SBOM for this project: https://github.com/typicode/json-server
The package.json contains only 19 direct dependencies, but the SBOM contains 114 dependencies.

[prabhu]

@countfnx, this behavior is correct and is what is implemented. You can further refine the SBOM by running evinse, which would then also attach occurrence and call-stack evidence. This way, we are tracking both the direct usages and the dependency tree.

[countfnx]

Ok, then the second sentence in docs "Advanced.md" is misleading:
"Pass --required-only to only store components with the scope attribute set to required. These are usually considered direct dependencies."

[prabhu]

@countfnx, I think I know what is happening. Let me improve the filter

Could you kindly test the PR #644

Thank you for your perseverance!