anthonyharrison

Latest update is that the Python tools for SPDX is about to be refactored to prepare for SPDX 3.0. Might be worth waiting until that is complete.

@mastersans I have already written a tool [sbomtrend](https://pypi.org/project/sbomtrend/) which identifies the changes in a set of SBOMs. It takes a directory of SBOMs and identifies for each package the version...

I am trying to auto generate some reports for my forthcoming FOSDEM talk. I am looking at creating some charts but at the moment it is manual via a spreadsheet....

The items that can change between versions of an SBOM are The version of a package The licence of a package The addition or removal of a package Other items...

@mastersans That's a useful view. Not sure the average number of updates is relevant. What is the significance of google-auth. rich and plotly? An interesting view would be to look...

@mastersans You could use the `requirements.txt` file to identify the direct dependencies. Then show as a stacked graph with the transitive dependencies. We might find that there is a 1-1...

[sbomtrend](https://pypi.org/project/sbomtrend/) performs some analysis and contains some sample matplotlib graphs for a number of scenarios.

ExternalSecurity in SPDX uses CPE items. We also have PURL records which are preferred to CPE due to the inconsistency of CPE records, particular with respect to the vendor field....

@tgagneret-embedded You are correct in that lib4sbom (I am the author) only provides full support for SPDX formats tagvalue, JSON and YAML. These are the most common formats - XML...

I don't think we should be using os.name (I just tried it on my Mac and I got 'posix' as the response). As the distro package is only for Linux...