sbom4python
sbom4python copied to clipboard
anthonyharrison
A tool to generate a SBOM (Software Bill of Materials) for an installed Python module
I recently noticed a case where an SBOM that included `twisted` as a dependency was not listed as a dependency. After careful review, I found that twisted was installed as...
I noticed the new version has the SPDX short-form license and a url like so: ``` "id": "PSF-2.0", "url": "https://opensource.org/licenses/Python-2.0" ``` I've been told by a few of our teams...
I have a python project that I would like to create an sbom for. I currently have it set up using conda, but that means that some requirements (e.g. opencv),...
The retrieval of additional package metadata in `_create_package` needs to be version specific ` self.package_metadata.get_package(package)`
Currently sbom4python extracts metadata from the Python package manager (pip). A useful enhancement would be to extract information from a pyinstaller archive file.
Whilst the `requirements.txt` file is often used to capture module dependencies, it would be good to capture dependencies from other sources such as `setup.py` and `pyproject.toml` files.
We use sbom4python to construct an sbom for our product. Our environment was built around python 3.9 and the sbom generation seemed correct. Now that we upgraded our environment to...
See https://github.com/anthonyharrison/lib4sbom/issues/49 Confirm that license for a module is reported ragardless of installation/packaging approach
Using `pip show` to collect package metadata only returns a select few metadata of a package. Using `importlib.metadata` would allow accessing to all of them, such as Download-URL, Project-URL, and...
Hi, and Thanks for the SBOM tools! We've been trying this out and since i have a large-ish number of projects/workflows that are run from the top-level of a git...
Metadata
Owner
Metadata
A tool to generate a SBOM (Software Bill of Materials) for an installed Python module