Does sbom-tool support the project which contains poetry.lock?

[newertp]

As I found sbom-tool using component-detection to scan for components and dependencies, which support both requirements.txt and poetry.lock. But when I scanned the project with poetry.lock, it didn't work, regardless of scanning image or source code. It can generate sbom file correctly when I change poetry.lock to requirement.txt. What's the problem? The commands is as follows:

For source code: salus Generate -b ./test -bc ./test -pn Test -pv 0.0.1 -nsb https://test.com/ -V Verbose -m . For docker image: salus Generate -b ./test -bc ./test -di test:latest -pn Test -pv 0.0.1 -nsb https://test.com/ -V Verbose -m .

[edgarrs]

Let's update the component detection libraries to pick up all new changes including this one

[ByAgenT]

Since we're not up to date with latest CD libs yet, poetry detector is still in beta for sbom-tool. But since 0.2.1 sbom-tool version you should be able to enable Poetry beta detector it by providing -cd "--DetectorArgs Poetry=EnableIfDefaultOff" argument. It may not be fully stable, but it probably better than nothing until we upgrade to the latest CD version.

[edgarrs]

@newertp are you still having this issue with the latest version of our tool that uses a very recent version of the component detectors?