reuse-tool icon indicating copy to clipboard operation
reuse-tool copied to clipboard
verified publisher icon fsfe

Let's use spdx-tools for SBOM generation

Open carmenbianca opened this issue 2 years ago • 6 comments

We can get this for free instead of doing the string manipulation we do now.

carmenbianca avatar Feb 08 '23 09:02 carmenbianca

The SPDX Python libraries have been getting a lot of attention recently, with lots of refactoring and feature updates. If there anything in particular that you would need added for this, please let me know and I'll see what I can do! :smiley:

seabass-labrax avatar Feb 08 '23 14:02 seabass-labrax

Agreed. I've looked a bit at the SPDX-Tools Python GitHub project and it seems a thorough library. It is promising that there is progress on the hard nuts to crack https://github.com/spdx/tools-python/issues/10 It will also better the ecosystem overall if we collaborate in this generic library instead of doing our own thing. We can adopt this library in phases, so it will be easy to get going. I have two concerns:

Distribution packaging: At the moment spdx-tools is only packaged in a NixOS and FreeBSD, so this is also a point of attention before we adopt it https://repology.org/project/python:spdx-tools/versions I created an issue over at spdx-tools to call attention to this issue and coordinate the effort https://github.com/spdx/tools-python/issues/488

Dependencies: The library has quite some dependencies for all in the output formats, which I think makes sense. The Click library I think is not necessary if we use it as a library rather than as a standalone app. Perhaps we can work with the spdx-tools team to make it optional. I consider this an improvement.

nicorikken avatar Feb 18 '23 06:02 nicorikken

Hi @nicorikken, @carmenbianca! Very cool, that you want to use the tools-python. Regarding your second concern, nico, we already have an open issue for that and want to reduce the dependencies, the hint on Click is already helpful! Probably we will make these changes in the refactored-branch where we are working on a refactored version of the tools that has separated layers for parsing, validating and reading files. We want to bring this branch to main soon and then keep the current, stable version next to it. I would advise you to take a look at the refactored version, which has breaking changes to the current one, and consider using it in the future. The current version on main will get after the switch only bug fixes, but tend to get no new features in the future.

meretp avatar Feb 28 '23 07:02 meretp

FYI: the refactored version of spdx/tools-python can now be found on the main branch.

armintaenzertng avatar Mar 30 '23 10:03 armintaenzertng

Related to #394

mxmehl avatar Jun 07 '24 13:06 mxmehl