[POETRY] option to omit dev-requirements

[rugleb]

Hi!
I'm using this command: poetry run cyclonedx-bom -p -i poetry.lock -o cyclonedx-bom.xml --force which generates report with all requirements.
I think we need flag which disable scan of dev-requirements.

[jkowalleck]

Sounds reasonable.

Pull requests are welcome.
Do you want to give it a try?

[camillem]

Hi, I have a need which is similar but a bit different : that would be to have dev-requirements dependencies not omitted but flagged as such. May be by setting the field
https://cyclonedx.org/docs/1.4/json/#components_items_scope to "optional" for dev-requirements and to "required" for others.

[jkowalleck]

is there some property in CycloneDX that describes a component as a "dev-dependency"? I suppose not.

@madpah So to publish this as a custom property, it would start with a taxonomy definition. ala cdx:npm:package:development in https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/npm.md

[camillem]

Would it be something like that https://github.com/camillem/cyclonedx-property-taxonomy/blob/main/cdx/poetry.md ?
(and should I open a new issue, as we have diverged a bit from the initial topic?)

[jkowalleck]

re: #374 (comment)

[...] should I open a new issue [...]

yes. an own issue https://github.com/CycloneDX/cyclonedx-property-taxonomy would be good, to discuss the initial needs.
The PR would then be created by the @CycloneDX/python-maintainers

and yes, an own issue regarding poetry driven properties would be good, too. - as the original request in this issue was about omitting data.

[jkowalleck]

@camillem , @rugleb , the proposal was made merged - see CycloneDX/cyclonedx-property-taxonomy#29

if you'd like, you could start with a implementation. or a draft, or ProveOfConcept. :-D

[camillem]

@jkowalleck : thanks! Currently trying to come up with a draft/ PoC :-)

[jkowalleck]

@rugleb @camillem this issue was superseded by #474