Should the SBOM-file contain dev-Dependencies?
When we generate a sbom-file for our service: Are dev-dependencies supposed to be contained in it? I talk about packages which provide a test-framework or mocking-functionality for example which are required only in the test-project and not contained in a productive deployment. One the one hand i can argue: Dev-dependencies are not a possible vulnerability for a productive system, because they are not deployed there. But on the other hand i can also argue: When a dev-dependency has malicious code due to a supply-chain-attack-attempt then we may want to recognize this due to the sbom-file. So is there already a consensus about this question? Are there perhaps other arguments for or against?
When we generate a sbom-file for our service: Are dev-dependencies supposed to be contained in it? I talk about packages which provide a test-framework or mocking-functionality for example which are required only in the test-project and not contained in a productive deployment.
One the one hand i can argue: Dev-dependencies are not a possible vulnerability for a productive system, because they are not deployed there.
But on the other hand i can also argue: When a dev-dependency has malicious code due to a supply-chain-attack-attempt then we may want to recognize this due to the sbom-file.
So is there already a consensus about this question? Are there perhaps other arguments for or against?
What's Your Reaction?