-
Notifications
You must be signed in to change notification settings - Fork 3k
Add command to remove dependencies from SPDX source SBOM #9653
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Add command to remove dependencies from SPDX source SBOM #9653
Conversation
CT Test Results 1 files 11 suites 3m 38s ⏱️ Results for commit 7696b12. ♻️ This comment has been updated with latest results. To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass. See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally. Artifacts// Erlang/OTP Github Action Bot |
Would it not be better if we did it the other way around? That is give the tool a list of which applications to keep? |
We could. My assumption would be that many apps from Erlang/OTP are used. I am not sure what is best... since this is only for source SBOM, whoever clones our repo probably needs all of it, I would think. I do not mind to change it the other way around. I think we need feedback from internal customers or Erlang users to understand what is better. |
I can always add one more command call |
Co-authored-by: Lukas Backström <[email protected]>
Co-authored-by: Lukas Backström <[email protected]>
Adds command to remove dependencies from SPDX source SBOM.
For example, removing the SPDX package
SPDXRef-otp-xmerl
impliesfiles
section of the SPDX documentTo facilitate removing dependents, we provide the following command, where the
removed.json
file contains a list of strings with the packages to be removed.