slimreaper35
commented
1 week ago Example with pip:
The PURLs are the same for each requirement, so the number of components differs from the downloaded artifacts. Dependencies are from https://github.com/cachito-testing/cachi2-pip-wheels/tree/no-sdists integrations test
diff --git a/cachi2/core/package_managers/pip.py b/cachi2/core/package_managers/pip.py
index 08f55027..e41f135c 100644
--- a/cachi2/core/package_managers/pip.py
+++ b/cachi2/core/package_managers/pip.py
@@ -209,6 +209,7 @@ def fetch_pip_source(request: Request) -> RequestOutput:
replaced_requirements_files = map(_replace_external_requirements, info["requirements"])
project_files.extend(filter(None, replaced_requirements_files))
+ print(len(components))
return RequestOutput.from_obj_list(
components=components,
environment_variables=environment_variables,
diff --git a/cachi2/interface/cli.py b/cachi2/interface/cli.py
index d98771df..3198617e 100644
--- a/cachi2/interface/cli.py
+++ b/cachi2/interface/cli.py
@@ -286,6 +286,7 @@ def fetch_deps(
)
sbom = request_output.generate_sbom()
+ print(len(sbom.components))
request.output_dir.join_within_root("bom.json").path.write_text(
# the Sbom model has camelCase aliases in some fields
sbom.model_dump_json(indent=2, by_alias=True, exclude_none=True)Result:
...
168
12
2024-11-06 13:02:12,650 INFO All dependencies fetched successfully \o/
Currently, downloaded artifacts with identical PURLs are deduplicated consistently across both pip and bundler ecosystems, resulting in consolidated entries in the SBOM. This issue suggests checking if this approach misses important platform-specific details. The goal is to see if listing packages separately for each platform would make the SBOM more accurate while keeping things straightforward. If needed, this update would apply to both pip and bundler.