Possible to exclude libraries (based on Regex term, for instance)?

[Andrew-George-LG]

We would like to exclude our certain specific libraries from SBOM generation, so I'm wondering if there is a way to exclude project NuGet references based on a search term (search mask or Regex).

[mtsfoni]

The easiest way might be to use a command like tool like jq to just remove the libraries after generation.
If you need this for a lot of pipelines, I created a tool a while ago (cdx-enrich)[https://github.com/mtsfoni/cdx-enrich], which I could easily add a delete function to.

Can you explain, why you want to exclude libraries after the generation?

[Andrew-George-LG]

We have a requirement to supply a regular SBOM to an external client, for them to analyse against the latest vulnerability catalogues - but we have many internal-only libraries - that we have written ourselves - that would never show up in an external vulnerability database, so are useless in the SBOM.

This would be a post-processing step, since our libraries use commercial Nuget references which would need to be included. i.e.

If library A references library B, an internal only library, and B references, C and D, two commercial libraries, then A, C and D would be in the final SBOM, and B should be removed.

We can do this manually, or write something to do it ourselves - submission of the SBOM is currently a manual process - I just wondered if the dotnet CycloneDX tool had something to do it already - thanks for the reply though.