You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
My understanding is that when a package is included in a product, but is not part of the product such as test or build, it could be marked as excluded in the scope field.
The default for this field is required so, technically, it is an optional field.
Just trying to understand how this field can be used.
For example: Our understanding is that an SBOM should include everything that is shipped in a product even if it is not used.
Some of our docker images have some build artefacts buried in the layers that need to be listed, but as they are not used, we still have to list them, but wanted a way to say they were not part of the runtime of the product.
The scope filed appears to be what this is for and would like some confirmation of this, Thanks, N
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
In generating an SBOM, do you also generate the components with the scope field set. See
https://cyclonedx.org/docs/1.6/json/#components_items_scope
As in required, optional or excluded.
My understanding is that when a package is included in a product, but is not part of the product such as test or build, it could be marked as excluded in the scope field.
The default for this field is required so, technically, it is an optional field.
Just trying to understand how this field can be used.
For example: Our understanding is that an SBOM should include everything that is shipped in a product even if it is not used.
Some of our docker images have some build artefacts buried in the layers that need to be listed, but as they are not used, we still have to list them, but wanted a way to say they were not part of the runtime of the product.
The scope filed appears to be what this is for and would like some confirmation of this, Thanks, N
Beta Was this translation helpful? Give feedback.
All reactions