anthonyharrison

@terriko This would make a great addition to the capability of the tool. The next evolution of the SPDX SBOM standard is likely to have options to include security information...

I was on a Spdx call last night and there are a number of options being considered for including defect information as part of the 3.0 release. I will be...

@terriko Agree SBOMs can contain a lot of information but cve-bin-tool only currently extracts the package names/versions. I can see how the relationships between components might be a useful addition...

@BreadGenie In response to your comment '**_Can you explain this a bit more? I didn't get how versions are included in file formats._**', the following command does what I was...

@BreadGenie Instead of -L parameter having two parameters maybe we should have an extra option -D (for distro)? Default for -D could be current distro (obtained from distro.id()). This would...

Have a look at [SBOM4PYTHON](https://pypi.org/project/sbom4python/) which might do what you need. It generates both SPDX and CyloneDX SBOMs for an installed Python module and all its assoicated dependencies.

@goneall My latest schema is released here https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/schemas

@Molkree interesting thought on separate SBOMs based on Python version. It isn't something I have seen done before as the SBOM relates to an instance of the deployment of the...

This might [help](https://setuptools.pypa.io/en/latest/userguide/entry_point.html)

I don't think it is fully complete yet as I think the library only works with JSON, YAML and TagValue documents currently. Cve-bin-tool parser already works with all types of...