anthonyharrison

@terriko I will start looking at this as we can probably do this locally within the sbom parser. I think we have a PURL specified, we should use this instead...

Component versions are a mess but if more components aligned with [Semantic Versioning](https://semver.org/) life would be easier. As @terriko remarked, it is a very difficult task - perhaps the greatest...

There are already differences between the various national guidelines. If I am creating a SBOM, I would not want to create a different SBOM to meet the different national guidelines;...

I wrote a [blog post](https://www.bcs.org/articles-opinion-and-research/manage-risk-with-a-software-bill-of-materials/) which identified 4 use cases for SBOMs all related to managing risk: - SBOMs should form part of your vulnerability management process by using them...

@Tomalrich I agree with your 'survey results' as I have also yet to see any customer requirements which require SBOMs to be distributed as part of a software delivery in...

Tom Thanks for the feedback. It is good to see that some of the challenges with SBOMs are starting to be addressed. Although the timing isn't great to attend your...

@steiza Reinstalling the updated module results in the application no longer crashing and an SBOM being generated. However, the generated SBOM doesn't include any version information or any license information...

@steiza Thanks for the explaination. I think adding something to the dcumentation regarding behaviour if versions aren't pinned would be useful.

@terriko I just use the information from the [SPDX license list](https://spdx.org/licenses/) to map the SPDX-ID to the url. I rely on the Python metadata from the module to indicate the...

@ogbautista Thanks for raising this. I don't anything special for optional dependencies so I need to look at how optional dependencies are handled within the ecosystem.