-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Existing libraries for Python SBOM generation? #7
Comments
Thanks for opening this issue! This is a good idea, I can definitely put together some recommendations. |
Requested by @sethmlarson.
While some of the dependencies are already in the dependency tree, that is just way too much to include in the project. Some package builders/managers could handle that by using plugins, but that are extra steps instead of a simple built-in solution that we could have. |
@sethmlarson I came across https://github.com/sethmlarson/pip-sbom by way of the I was mostly poking at it to get an idea of what an SBOM dependency tree might look like (at least with current libraries): $ poetry show --tree
pip-sbom 0.0.1a2 pip-sbom
├── cyclonedx-python-lib *
│ ├── license-expression >=30,<31
│ │ └── boolean-py >=4.0
│ ├── packageurl-python >=0.11,<2
│ ├── py-serializable >=1.1.1,<2.0.0
│ │ └── defusedxml >=0.7.1,<0.8.0
│ └── sortedcontainers >=2.4.0,<3.0.0
├── packageurl-python *
├── packaging *
├── pip *
└── spdx-tools >=0.8
├── beartype *
├── click *
│ └── colorama *
├── license-expression *
│ └── boolean-py >=4.0
├── ply *
├── pyyaml *
├── rdflib *
│ └── pyparsing >=2.1.0,<4
├── semantic-version *
├── uritools *
└── xmltodict * (I also checked the |
Because SBOMs are used for regulatory things, I didn't want people to start using this tool that I've invested relatively small amounts of time in. I created this project mostly to test what is possible today for Python packages and as a place to implement draft packaging PEPs ahead of their acceptance to show how useful they'd be for the SBOM use-case (such as PEP 710 and now my upcoming PEPs for SBOMs). And yeah... I am not particularly happy with the state of affairs for SBOM libraries. At the end of the day, it's a data format. I think creating a tiny module for specifically generating SBOM documents will make sense so that packaging tools can adopt it very easily? That use-case is constrained to a very narrow set of SBOM documents and features, typically. |
Would it make sense to survey and recommend libraries for generating SBOM metadata for Python packages as part of this project?
Full disclosure: I'll actually need to add SBOM support to my current work project at some point (see lmstudio-ai/venvstacks#67), so I have a concrete interest in knowing which libraries actually do a decent job of taking a set of Python dependency declarations (and/or installed environments) and turning them into the corresponding SBOM.
The text was updated successfully, but these errors were encountered: