Problem to solve
CycloneDX specification v.1.4 indicates 8 possible types for components, including library and framework. Documentation from type = library states that
If the library also has key features of a framework, then it should be classified as a framework.
In spite of this recommendation, Dependency Scanning generates CycloneDX/SBOM files with type = library for components that has key features of a framework. Some examples obtained from different projects that use frameworks (Python/Django, PHP/Laravel, PHP/Lumen, Node.js/Angular) are listed below. All of them with type = library.
{
"name": "Django",
"version": "3.2.19",
"purl": "pkg:pypi/Django@3.2.19",
"type": "library",
"bom-ref": "pkg:pypi/Django@3.2.19"
},
{
"name": "laravel/framework",
"version": "v9.52.16",
"purl": "pkg:composer/laravel/framework@v9.52.16",
"type": "library",
"bom-ref": "pkg:composer/laravel/framework@v9.52.16"
},
{
"name": "laravel/lumen-framework",
"version": "v8.3.4",
"purl": "pkg:composer/laravel/lumen-framework@v8.3.4",
"type": "library",
"bom-ref": "pkg:composer/laravel/lumen-framework@v8.3.4"
},
{
"name": "@angular/cli",
"version": "11.2.19",
"purl": "pkg:npm/@angular/cli@11.2.19",
"type": "library",
"bom-ref": "pkg:npm/@angular/cli@11.2.19"
},
Is there a way to configure Dependency Scanning (Gemnasium) to use type = framework, instead of type = library for theses cases?
This is important for automating the monitoring of software framework versions with their support policies.
Configuration
GitLab Gemnasium: 4.15.1, 4.16.0, 4.17.0
Versions
- Self-managed
- GitLab.com SaaS
- Self-hosted Runners
Versions
- GitLab v16.9.2-ee
The Gemnasium project analyzers used by Dependency Scanning do not support this feature at this time. I’ve opened up