[FEATURE] library mode

[jkowalleck]

Is your feature request related to a problem? Please describe.

if i build a SBOM for a library, i do not want to have non-bundled component listed as if they were concrete.
These dependencies are extraneous and the version of them is not clear - it is resolved on install-time .
Also, transitive dependencies of those are not clear until install-time.

This should be reflected in the SBOM.

Describe the solution you'd like

Spec: CycloneDX/specification#321

add a n option to have

• only the bundled dependencies and the direct dependencies as components in the SBOM result.
• direct dependencies' components must have no version.
• direct dependencies's components must have a version range - #321
• direct dependencies are marked as "extraneous" - #321

option could be called (list of ideas)

• --library-mode
• --mark-extraneous
• --bundled-only
• add your idea in the comments

new option MUST imply --omit dev and must cause

new option MUST be disabled bu default
new option MUST be marked as experimental in help page
new option might set `--mc-type=library'

Describe alternatives you've considered

• we could make it, so that the existing option `--mc-type=library' causes this behaviour by default, but that would be a breaking change

Additional context

for libraries, non-bundled components are "extraneous" - this is discussed in #321

package.json knows the concept of

• dependencies
• bundleDependencies - definitely shipped
• peerDependencies - definitely extraneous
  • they can be optional, in addition. example:

    "peerDependenciesMeta": {
      "webpack-cli": {
        "optional": true
      }
    }
    

• devDependencies - no intention to be shipped.
  might shadow allof the above on build-time

Contribution

• I am willing to provide an implementation
• I will wait until somebody else implements it

[jkowalleck]

this ticket is currently only an idea.
please add comments, to discuss the idea.

[jkowalleck]

this feature should implicitely fix #1155