Question about dependencies for automatically created inventory items
We are scanning a project in which we have a scan profile with "All Transitive Dependencies" selected.
For one of the automatically created items (tomahawk20-1.1.14[Apache License 2.0]), only two items are reported as dependencies:
- myfaces-shared-tomahawk 4.0.16 [Bundled with tomahawk20 1.1.14 ] (Apache-2.0)
- sstephenson-prototype 1.7 [Bundled with tomahawk20 1.1.14 ] (MIT)
If we review the dependencies of the component in mvn repository (value obtained from URL field in the component information), it has 11 Compile dependencies (only two are optional), 6 Provided Dependencies and 1 Runtime Dependency.
Only myfaces-shared-tomahawk appears as provide dependency in there, and the second is missing.
In another case, we have an item associated to the component "commons-fileupload 1.3.1" where the tool has not generated any dependencies, but in mvn repository it has 1 compile dependency and 2 provided dependencies
How the tool handles the dependencies? Which is the criteria to generate an item as a dependency? Why do dependencies appear in some cases and not in others?