sbom4python icon indicating copy to clipboard operation
sbom4python copied to clipboard
verified publisher icon anthonyharrison

Intended way to generate SBOM from virtual environment

Open sarnold opened this issue 9 months ago • 1 comments

Hi, and Thanks for the SBOM tools! We've been trying this out and since i have a large-ish number of projects/workflows that are run from the top-level of a git checkout I added this tool as a tox env command, which seems to work okay. That said, in issue #7 you said:

"I typically use this in a Python virtual environment and run sbom4python from within the directory containing the installed modules (lib//site-packages/)."

So: Are we using it incorrectly?

I can test it the other way, but I don't really have a great feel for what the expected behavior should be. Also I'm about to ask another set of questions along the lines of #23

Thanks again!

sarnold avatar Apr 03 '25 22:04 sarnold

Sbom4python works fine with Python virtual environments. There are two ways:

  • install sbom4python on your system before creating the virtual environment. Running sbom4python when in the virtual environment will pick up the installed version.
  • install sbom4python in your virtual environment.

In both cases use the --module to just find the dependencies for your package.

anthonyharrison avatar Apr 25 '25 06:04 anthonyharrison