Skip to content

Feature Request: Support for CycloneDX Scope Data #4647

New issue
New issue
Open
#5224
Open
Feature Request: Support for CycloneDX Scope Data#4647
#5224
Labels
enhancementNew feature or requestgood first issueGood for newcomershelp wantedExtra attention is neededp2Non-critical bugs, and features that help organizations to identify and reduce risksize/SSmall effort
Milestone
4.14.0
@VinodAnandan

Description

@VinodAnandan
VinodAnandan
opened on Feb 13, 2025

Current Behavior

Summary
CycloneDX provides component scope data ( https://cyclonedx.org/docs/1.6/json/#components_items_scope ), which indicates whether a component is required, optional or excluded. This data can be used to classify development and other optional dependencies, enhancing transparency while allowing them to be segregated from other scopes.

Problem Statement
Currently, Dependency-Track does not utilise scope data from CycloneDX SBOMs. This omission may lead users to generate SBOMs that exclude optional dependencies, potentially creating a false sense of security and reducing overall transparency.

Proposed Behavior

Proposed Solution

MVP Implementation

  • Store component scope data from CycloneDX SBOMs.
  • Display scope information in the UI to help users make informed decisions.

Future Enhancements

  • Integrate scope data into policy enforcement and notifications, allowing users to leverage it for advanced use cases.

Checklist

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestgood first issueGood for newcomershelp wantedExtra attention is neededp2Non-critical bugs, and features that help organizations to identify and reduce risksize/SSmall effort

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions