tools-python
tools-python copied to clipboard
spdx
What is a best practice for represenitng Python packages in SBOM
Can someone recommend the best way to transform pip freeze output into SPDX objects? Are these packages supposed to be represented as File object?
Here is an example pip freeze output: spdx-tools==0.6.1 stix2==2.0.2 stix2-patterns==1.3.1 taxii2-client==2.2.0 urllib3==1.25.8 virustotal-python==0.0.8 wincertstore==0.2 xmlschema==1.0.16 xmltodict==0.12.0
@rjb4standards I would suggest these are represented as a Package object.
@ekongobie - any additional suggestions?
Looking at the Package description in spdx 2.2, I'm thinking use of sub packages, which is how I view these Python dependencies, will require the use of a relationship object, according to this text: All Package Information fields must be grouped together before the start of a Files section, if file(s) are present. All files contained in a package must immediately follow the applicable Package Information. A new Package Information section (via Package Name) denotes the start of another package. Sub-packages should not be nested inside a Package Information section, but should be separate and should use a Relationship to clarify. Annotations and Relationships for the package may appear after the Package Information before any file information.
I believe this question is no longer relevant. Please speak up if the issue should be reopened.
