Dependent Projects

dependent projects are a way to represent a relationship between one or more soos projects they appear in the dependency tree and if possible will include high level scan details for the version of the dependent project that was referenced, as well as a link to the scan details requires the sbom manager add on see subscribing to soos products docid\ j40dn4nwvdyy7vurceq4s to make changes to your plan except where indicated below what can dependent projects represent? dependent projects are flexible and can be created through automatic or manual relationships links between projects in soos the following examples show dependent projects as they exist in the dependency tree internal package relationships define package mask configurations docid\ lqfh 51nlqz7 xwxefwt1 to create automatic relationships between projects scanned by soos package masks are included with the base soos sca product! external sbom document references enable auto link sbom external document references under dependency configurations docid\ au5a2yyr9kchwhitdl u1 to automatically create dependent projects for sboms that reference each other and have been previously scanned by soos see external sbom document references docid\ w4klefwz4kwghbmooma v for more information artificial relationships and complex hierarchies in some cases it may be useful to identify relationships between applications which are not directly related through code or internal packages, such as a ui depending on an api manually added dependent projects can accomplish this complex relationships between applications may also be modeled using dependent projects this hierarchy of dependent projects will be shown in the dependency tree (in the example below, the root project references mycoremodule which in turn references mydatabasemodule , which also has a reference to mycoremodule ) where do dependent projects appear? dependent projects shown in a number of places throughout the soos app, the most detailed location is within the dependency tree of a project developer dashboard the project row will contain the number of referenced dependent projects on the developer dashboard this will only show the number of directly referenced dependent projects, not the number of dependent projects in the hierarchy think of this as the number of direct project dependencies dependency tree dependent projects will appear in the dependency tree if a scan is identified which matches the build version, the scan information will also be included manually added dependent project manually added dependent projects will show on with a folder icon and may include scan details dependent project in the dependency tree internal packages via package masks when a package mask exists and a matching package is identified in a manifest, an implicit dependent project link will be created (the appearance is slightly differently than manually added dependent projects) the package matching the package mask, will show within the manifest where it was located with the 'buildings' icon to indicate it is an internal package in this situation, no explicit dependent project will be added or manageable and an icon will not be visible on the dashboard package masks are included with the base soos sca product! internal package in the dependency tree sbom exports select "include dependent projects" will create a zip archive containing the main project's sbom, along with sboms for all dependent projects defined for the project the main project's sbom will contain external sbom document references docid\ w4klefwz4kwghbmooma v to the referenced project(s) sboms include dependent projects in export manually adding or removing dependent projects select the manage tab from within the project where you wish to adjust the dependent project references locate the project in the drop down, and optionally add a version if no version is specified, soos will attempt to locate the correct version based on the version located in the manifest of the main project (for sca scans), or the sbom (for sbom scans) remove dependent projects using the 'x' for sbom scans, if a dependent project is manually removed, it will be re added on the next scan if auto link sbom external document references is enabled under dependency configurations docid\ au5a2yyr9kchwhitdl u1 add a dependent project