[question] Exclude build and tool requires from conan audit

[jonas-singe-bruker]

What is your question?

Is there a sipmle way to exclude build requirements and tool requirements from the conan audit scan?
We would like to set up conan audit to monitor the conan dependencies. In the product we deploy the build and tool requirements are not exposed so we want to keep them out of that report.

I looked through the conan audit scan --help description for 2.20.0 but didn't find a straightforward option.

Have you read the CONTRIBUTING guide?

• I've read the CONTRIBUTING guide

[AbrilRBS]

Hi @jonas-singe-bruker thanks a lot for taking the time to submit this request.

While there's currently no way to skip the build context packages from conan audit scan (I'll discuss with the team if adding this feature makes sense, which a priori for me it does), you can get this same behaviour in a roundabout way while we implement the filter for conan audit scan.

• Replace conan audit scan with conan graph info. They accept the same arguments to construct the graph, so the parameters should stay the same. Make sure to also add --format=json and store the resulting json to a file (graph.json for this example)
• Now, run conan list --graph=graph.json --graph-context=host --format=json > pkglist.json
  • This creates a pkglist for the resolved dependency graph, but filters it to only contain the host context packages using the --graph-context argument.
• Now pass the generated pkglist.json to conan audit list --list=pkglist.json. Its output will be similar to the conan audit scan command (minus the severity threshold filter)

This (excluding syntax errors in my example) will get you your desired filtering (And you can check conan list -h for the rest of the context filters)

Let me know if it helps, and I'll keep you posted if we decide to implement the filtering directly in the conan audit scan command :)

[jonas-singe-bruker]

That's helpful, thanks 👍

[memsharded]

Ticket closed by #18976, that has implemented a new --context argument in conan audit scan, will be in next Conan 2.21. Thanks for the feedback!