feat(sbom): mark devDependency components with CycloneDX scope "excluded"#12442
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (4)
🚧 Files skipped from review as they are similar to previous changes (3)
📝 WalkthroughWalkthrough
ChangesCycloneDX dev scope exclusion
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
b6f4c31 to
cacedc2
Compare
Code Review by Qodo🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)
Great, no issues found!Qodo reviewed your code and found no material issues that require reviewPrevious review resultsReview updated until commit 7acb4ad Results up to commit cacedc2
Great, no issues found!Qodo reviewed your code and found no material issues that require review |
PR Summary by Qodosbom: mark dev-only CycloneDX components as scope="excluded" WalkthroughsDescription• Mark CycloneDX components reachable only via devDependencies as scope: "excluded". • Keep runtime-reachable components (prod/dev+prod/installed optional) at default required scope. • Add unit and command-level coverage for scope behavior in CycloneDX output. Diagramgraph TD
A(["pnpm sbom"]) --> B["SBOM builder"] --> C["SbomResult (depType)"] --> D["serializeCycloneDx.ts"] --> E["CycloneDX JSON"] --> F{{"Dependency-Track"}}
G["DepType enum"] --> D
subgraph Legend
direction LR
_cli(["CLI entrypoint"]) ~~~ _mod["Module"] ~~~ _ext{{"External consumer"}}
end
High-Level AssessmentThe following are alternative approaches to this PR: 1. Use CycloneDX `properties` to encode dev/prod reachability
2. Split outputs into separate BOMs (prod BOM vs dev BOM)
3. Mark dev deps as CycloneDX `scope: optional`
Recommendation: The current approach (map DevOnly to CycloneDX File ChangesEnhancement (1)
Tests (2)
Documentation (1)
|
Components reachable only through devDependencies now get `scope: "excluded"` plus the `cdx:npm:package:development` property in CycloneDX output. The `excluded` scope documents non-runtime/test usage (valid in every exported spec version, 1.5/1.6/1.7); the property is the CycloneDX npm-taxonomy marker emitted by `@cyclonedx/cyclonedx-npm`, so both modern and existing consumers are covered. Runtime-reachable components (ProdOnly, DevAndProd, and installed optionalDependencies) omit both and default to `required`.
cacedc2 to
7acb4ad
Compare
|
Code review by qodo was updated up to the latest commit 7acb4ad |
pnpm sbomemits noscopeon any component today, so a consumer likeDependency-Track can't tell runtime dependencies from build-only ones. This
sets
scope: "excluded"on CycloneDX components reachable only throughdevDependencies. CycloneDX 1.7 definesexcludedas "component usage fortest and other non-runtime purposes", which is exactly a devDependency.
Runtime-reachable components keep the default (
scopeomitted →required),including installed
optionalDependencies—optionalis the wrong valuethere since per the spec it means "not installed". SPDX output is unchanged.
Tests
Unit tests cover DevOnly →
excluded, ProdOnly → no scope, DevAndProd → noscope; a command test checks a dev-only dep gets
excludedwhile a prod depdoesn't. Output still validates against the CycloneDX 1.6/1.7 schema.
Written by an agent (Claude Code, claude-fable-5).
Summary by CodeRabbit
New Features
pnpm sbom(CycloneDX) to annotate components that are only reachable via development dependencies withscope: "excluded"and an npm development marker.scopeand default to runtime semantics (including optional runtime installs).Tests
scope/development-marker behavior for dev-only vs runtime components, including mixed dev+prod cases.Documentation
excludedscope.