jkowalleck
commented
1 year ago adding external components, like a runtime, is not yet possible in CycloneDX. Well, it is possible, but to a insufficient extend.
The CycloneDX specification team is aware that "external dependencies" are a thing. We will be working to have this feature available in the spec. see https://github.com/CycloneDX/specification/issues/321
After the spec is formally enabling this feature, we could discuss implementation details here.
As discussed in https://github.com/CycloneDX/cyclonedx-python/discussions/393#discussioncomment-7270903 the specific version of Python that a piece of software is run with is an important part of its dependencies.
Therefore, although the Python version isn't usually bundled with a piece of software, it can be useful to know what version was used when the SBOM was generated - ideally, because that is the same version it is deployed with or was used to build the wheel.
For internal tools, it provides visibility into which Python versions are being used.
Limitations: Especially if a tool isn't package but simply deployed, it can be used with any Python version that supports all features it uses, and the SBOM cannot accurately reflect that. This could potentially be misleading.