search

CycloneDX / cyclonedx-python

CycloneDX Software Bill of Materials (SBOM) generator for Python projects and environments
https://cyclonedx.org
Apache License 2.0
256 stars 67 forks source link

pyproject.toml does not appear to be supported #237

Closed coderpatros closed 3 years ago

coderpatros commented 3 years ago

From https://github.com/CycloneDX/gh-python-generate-sbom/issues/2

The generator mentions using requirements.txt. However, the Python community is moving away from using requirements.txt to integrating the build system and all requirements into a pyproject.toml file. Any chance this will be added to gh-python-generate-sbom?

madpah commented 3 years ago

Hi @coderpatros,

The latest cyclonedx-python-lib does support Poetry (pyproject.toml), but that has not yet been exposed in this main app.

Will get that organised.

Note: We'll be supporting poetry.lock, not pyproject.toml directly - is that an issue @coderpatros?

madpah commented 3 years ago

@coderpatros - latest release 1.1.0 now supports poetry.lock file parsing.

See README for details.

slemouzy commented 2 years ago

Hi @madpah, nice to see that poetry.lock is supported, that's working well. However, there is a limitation when a project is using some optional dependencies (cf https://python-poetry.org/docs/pyproject/#extras).

In fact we are publishing different versions of our software containing more or less dependencies using this poetry feature. Thus, we would like to generate a sbom for each version. To overcome this limitation, I guess it would require to parse the pyproject.toml and the poetry.lock file plus an option to define the optional dependencies to include.

I'm also wondering if for now cyclonedx is incuding the dev dependencies or not.

Is there any plan to control more precisely the set of dependencies to include in the output?