1. Home
  2. Categories
  3. Support
  4. pgutil exclude test and build projects

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

pgutil exclude test and build projects

  • S

    Hello,
    I am currently using CycloneDx in my build plans to generate BOMs. I am considering to switch to PgUtil but I am missing a feature: the possibility to exclude test projects and the Nuke build project. Those projects often use vulnerable libraries but I do not want to see them in the reports as they are only used during the build process. Is there already a way to exclude specific csproj from the BOM generation of the analyzed solution? If not, could this be added in future versions?

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    Hi @sebastien-gamby_3349,

    I don't see an option to do anything like that, but we're happy to brainstorm/think of an option to add. The main issue is documentation and avoiding having 1000 options.

    I see that there's a ---do-not-scan-node_modules switch; maybe that could be converted to a --excludePaths={relativePathCsv} or something? So ---do-not-scan-node_modules would become --excludePaths=node_modules and you could do --excludePaths="myproj1.csproj,myproj2.csproj" or something?

    Just brainstorming here, not sure if that's even feasible.

    Here is the current documentation for the command

    Description:
  Generates a minimal SBOM from project dependencies and uploads it to ProGet

Usage:
  pgutil builds scan [options]

Options:
  --input=<input> (REQUIRED)                Project to scan for dependencies
  --project-name=<project-name> (REQUIRED)  Name of the component consuming the dependencies
  --version=<version> (REQUIRED)            Version of the component consuming the dependencies
  --api-key=<api-key>                       ProGet API key used to authorize access
  --do-not-scan-node_modules                Do not scan the node_modules directory when scanning for package-lock.json
                                            files
  --include-dev-dependencies                Include npm development dependencies from the package-lock.json file in the
                                            generated SBOM document
  --include-project-references              Include dependencies from referenced projects in the generated SBOM
                                            document
  --password=<password>                     ProGet user password used to authorize access
  --project-type=<project-type>             Type of the consuming project (default=library)
  --scanner-type=<scanner-type>             Type of project scanner to use; auto, npm, NuGet, PyPI, or Conda
                                            (default=auto)
  --source=<source>                         Named source or URL of ProGet
  --username=<username>                     ProGet user name used to authorize access
  -?, --help                                Show help and usage information

Examples:
  $> pgutil builds scan --input=WebDataTool.csproj --project-name="Web Data Tool" --version=1.2.3
``
    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation