-
-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ASK:how to identify a component is directly or indirecty dependency? #108
Comments
@jackhj000 This is correct. Currently, cdxgen and other tools use/misuse the scope attribute to represent direct dependency. However, with the recent 1.5 spec we can do this cleanly with evidence and dependencies (tree). https://cyclonedx.org/docs/1.5/json/#components_items_evidence_identity |
thanks very much. |
@jackhj000 We have added the dependency tree with 4.2.0. Please take a look and let us know if it suits your use case. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Just according to the value of 'scope' (required, optional) in SBOM? is that accurate?thanks
The text was updated successfully, but these errors were encountered: