Dependent Projects
Dependent Projects are a way to represent a relationship between one or more SOOS projects. They appear in the Dependency Tree and if possible will include high level scan details for the version of the dependent project that was referenced, as well as a link to the scan details.
Requires the SBOM Manager add on. See Subscribing to SOOS Services to make changes to your plan. Except where indicated below.
Dependent projects are flexible and can be created through automatic or manual relationships links between projects in SOOS. The following examples show dependent projects as they exist in the dependency tree.
Define Package Mask Configurations to create automatic relationships between projects scanned by SOOS.
Package masks are included with the base SOOS SCA product!
Enable Auto Link SBOM External Document References under Dependency Configurations to automatically create dependent projects for SBOMs that reference each other and have been previously scanned by SOOS. See External SBOM Document References for more information.
In some cases it may be useful to identify relationships between applications which are not directly related through code or internal packages, such as a UI depending on an API. Manually added dependent projects can accomplish this.
Complex relationships between applications may also be modeled using dependent projects. This hierarchy of dependent projects will be shown in the dependency tree (in the example below, the root project references myCoreModule which in turn references myDatabaseModule, which also has a reference to myCoreModule).
Dependent projects shown in a number of places throughout the SOOS app, the most detailed location is within the dependency tree of a project.
The project row will contain the number of referenced dependent projects on the Developer dashboard.
This will only show the number of directly referenced dependent projects, not the number of dependent projects in the hierarchy. Think of this as the number of direct project dependencies.
Dependent projects will appear in the dependency tree. If a scan is identified which matches the build version, the scan information will also be included.
Manually Added Dependent Project
Manually added dependent projects will show on with a folder icon and may include scan details.
Internal Packages via Package Masks
When a package mask exists and a matching package is identified in a manifest, an implicit dependent project link will be created (the appearance is slightly differently than manually added dependent projects). The package matching the package mask, will show within the manifest where it was located with the 'buildings' icon to indicate it is an internal package.
In this situation, no explicit dependent project will be added or manageable and an icon will not be visible on the dashboard.
Package masks are included with the base SOOS SCA product!
Select "Include Dependent Projects" will create a Zip archive containing the main project's SBOM, along with SBOMs for all dependent projects defined for the project. The main project's SBOM will contain External SBOM Document References to the referenced project(s) SBOMs.
Select the Manage tab from within the project where you wish to adjust the dependent project references. Locate the project in the drop down, and optionally add a version. If no version is specified, SOOS will attempt to locate the correct version based on the version located in the manifest of the main project (for SCA scans), or the SBOM (for SBOM scans).
Remove dependent projects using the 'x'.
For SBOM scans, if a dependent project is manually removed, it will be re-added on the next scan if Auto Link SBOM External Document References is enabled under Dependency Configurations.
