Large discrepancies in number of components between "cyclonedx/bom v3.10.6" and "cyclonedx/cyclonedx-npm v1.6.0" #332
Description
Hello,
Environment information:
- OS: 20.04.2 LTS (Focal Fossa)
- npm: v6.14.14
- node: v14.17.5
This is more of a "general knowledge question", as I am trying to conclude to which cyclonedx module/version generates the most representative results. I am sorry in advance if this is not the right place to be asking it.
My use case is that I need to generate bom.xml files for some angular projects and then send them to Dependency Track platform for analysis.
Up until version 3 of @cyclonedx/bom, I was generating my bom.xml files as follows:
npm install -g @cyclonedx/bom@3.10.6
cyclonedx-bom -o bom.xml
The bom.xml that was generated in the way above, outputs 430 Components in Dependency Track.
However I understand that major version 4 release of @cyclonedx/bom introduced breaking changes.
So, I now try to utilize @cyclonedx/cyclonedx-npm, and I generate my bom.xml files like this:
npm install --global @cyclonedx/cyclonedx-npm
cyclonedx-npm --omit dev --ignore-npm-errors --output-format xml --output-file bom.xml
The bom.xml file that was generated in the way above, outputs 170 Components in Dependency Track.
(Without the --omit dev flag, I get >700 components)
Both tests were obviously ran for the exact same project.
So my question is, why is there such a large discrepancy in the final number of Components, for the same project, between @cyclonedx/bom@3.10.6 and @cyclonedx/cyclonedx-npm@1.6.0 ?
Thank you in advance