Should the SBOM-file contain dev-Dependencies?

When we generate a sbom-file for our service: Are dev-dependencies supposed to be contained in it? I talk about packages which provide a test-framework or mocking-functionality for example which are required only in the test-project and not contained in a productive deployment. One the one hand i can argue: Dev-dependencies are not a possible vulnerability for a productive system, because they are not deployed there. But on the other hand i can also argue: When a dev-dependency has malicious code due to a supply-chain-attack-attempt then we may want to recognize this due to the sbom-file. So is there already a consensus about this question? Are there perhaps other arguments for or against?

Jan 16, 2025 - 19:14
 0
Should the SBOM-file contain dev-Dependencies?

When we generate a sbom-file for our service: Are dev-dependencies supposed to be contained in it? I talk about packages which provide a test-framework or mocking-functionality for example which are required only in the test-project and not contained in a productive deployment.

One the one hand i can argue: Dev-dependencies are not a possible vulnerability for a productive system, because they are not deployed there.

But on the other hand i can also argue: When a dev-dependency has malicious code due to a supply-chain-attack-attempt then we may want to recognize this due to the sbom-file.

So is there already a consensus about this question? Are there perhaps other arguments for or against?

What's Your Reaction?

like

dislike

love

funny

angry

sad

wow