Add an option to exclude development dependencies from the SBOM

README.md

@@ -43,7 +43,7 @@ The command line options are aligned to the standard Conan options.
 
 ```text
 $ cyclonedx-conan --help
-usage: command.py [-h] [-if INSTALL_FOLDER] [-db [DRY_BUILD]] [-b [BUILD]] [-r REMOTE] [-u] [-l LOCKFILE] [--lockfile-out LOCKFILE_OUT]
+usage: command.py [-h] [-if INSTALL_FOLDER] [-db [DRY_BUILD]] [--exclude-dev] [-b [BUILD]] [-r REMOTE] [-u] [-l LOCKFILE] [--lockfile-out LOCKFILE_OUT]
                   [-e ENV_HOST] [-e:b ENV_BUILD] [-e:h ENV_HOST] [-o OPTIONS_HOST] [-o:b OPTIONS_BUILD] [-o:h OPTIONS_HOST]
                   [-pr PROFILE_HOST] [-pr:b PROFILE_BUILD] [-pr:h PROFILE_HOST] [-s SETTINGS_HOST] [-s:b SETTINGS_BUILD]
                   [-s:h SETTINGS_HOST] [-c CONF_HOST] [-c:b CONF_BUILD] [-c:h CONF_HOST]
@@ -63,6 +63,7 @@ optional arguments:
                         setting/option it will raise an error.
   -db [DRY_BUILD], --dry-build [DRY_BUILD]
                         Apply the --build argument to output the information, as it would be done by the install command
+  --exclude-dev         Exclude development dependencies from the BOM
   -b [BUILD], --build [BUILD]
                         Given a build policy, return an ordered list of packages that would be built from sources during the install
                         command

src/command.py

@@ -25,9 +25,10 @@
 from uuid import uuid4
 from conans.client.conan_api import Conan, ProfileData
 from conans.client.command import Command as ConanCommand, OnceArgument, Extender, _add_common_install_arguments
-from conans.client.graph.graph import DepsGraph
+from conans.client.graph.graph import DepsGraph, Node
 from conans.errors import ConanMigrationError, ConanException
 from packageurl import PackageURL
+from typing import Set
 
 
 class CycloneDXCommand:
@@ -53,6 +54,11 @@ def get_arg_parser() -> argparse.ArgumentParser:
         dry_build_help = ("Apply the --build argument to output the information, "
                           "as it would be done by the install command")
         parser.add_argument("-db", "--dry-build", action=Extender, nargs="?", help=dry_build_help)
+        exclude_dev_help = 'Exclude development dependencies from the BOM'
+        parser.add_argument(
+            '--exclude-dev', action='store_true',
+            help=exclude_dev_help, dest='exclude_dev'
+        )
         build_help = ("Given a build policy, return an ordered list of packages that would be built"
                       " from sources during the install command")
 
@@ -110,6 +116,21 @@ def execute(self):
             'components': [],
             'dependencies': [],
         }
+
+        required_ids = set()
+        if self._arguments.exclude_dev:
+            visited_ids = set()
+            to_visit: Set[Node] = set(node for node in deps_graph.nodes if node.ref is None)
+            while to_visit:
+                node = to_visit.pop()
+                if node.id in visited_ids:
+                    continue
+                visited_ids.add(node.id)
+                required_ids.add(node.id)
+                for dependency in node.dependencies:
+                    if str(dependency.dst.id) in node.graph_lock_node.requires:
+                        to_visit.add(dependency.dst)
+
         for node in deps_graph.nodes:
             if node.ref is None:
                 # top level component
@@ -121,9 +142,19 @@ def execute(self):
                 }
                 for dependency in node.dependencies:
                     purl = get_purl(dependency.dst.remote, dependency.dst.ref)
+                    if (
+                        self._arguments.exclude_dev
+                        and str(dependency.dst.id) not in required_ids
+                    ):
+                        continue
                     dependencies['dependsOn'].append(str(purl))
                 bom['dependencies'].append(dependencies)
             else:
+                if (
+                    self._arguments.exclude_dev
+                    and str(node.id) not in required_ids
+                ):
+                    continue
                 purl = get_purl(node.remote, node.ref)
                 component = {
                     'bom-ref': str(purl),
@@ -140,6 +171,11 @@ def execute(self):
                     'dependsOn': [],
                 }
                 for dependency in node.dependencies:
+                    if (
+                        self._arguments.exclude_dev
+                        and str(dependency.dst.id) not in required_ids
+                    ):
+                        continue
                     dep_purl = get_purl(dependency.dst.remote, dependency.dst.ref)
                     dependencies['dependsOn'].append(str(dep_purl))
                 bom['dependencies'].append(dependencies)