search

fsfe / reuse-tool

reuse is a tool for compliance with the REUSE recommendations.
https://reuse.software
365 stars 137 forks source link

Let's use spdx-tools for SBOM generation #671

Open carmenbianca opened 1 year ago

carmenbianca commented 1 year ago

We can get this for free instead of doing the string manipulation we do now.

seabass-labrax commented 1 year ago

The SPDX Python libraries have been getting a lot of attention recently, with lots of refactoring and feature updates. If there anything in particular that you would need added for this, please let me know and I'll see what I can do! :smiley:

nicorikken commented 1 year ago

Agreed. I've looked a bit at the SPDX-Tools Python GitHub project and it seems a thorough library. It is promising that there is progress on the hard nuts to crack https://github.com/spdx/tools-python/issues/10 It will also better the ecosystem overall if we collaborate in this generic library instead of doing our own thing. We can adopt this library in phases, so it will be easy to get going. I have two concerns:

Distribution packaging: At the moment spdx-tools is only packaged in a NixOS and FreeBSD, so this is also a point of attention before we adopt it https://repology.org/project/python:spdx-tools/versions I created an issue over at spdx-tools to call attention to this issue and coordinate the effort https://github.com/spdx/tools-python/issues/488

Dependencies: The library has quite some dependencies for all in the output formats, which I think makes sense. The Click library I think is not necessary if we use it as a library rather than as a standalone app. Perhaps we can work with the spdx-tools team to make it optional. I consider this an improvement.

meretp commented 1 year ago

Hi @nicorikken, @carmenbianca! Very cool, that you want to use the tools-python. Regarding your second concern, nico, we already have an open issue for that and want to reduce the dependencies, the hint on Click is already helpful! Probably we will make these changes in the refactored-branch where we are working on a refactored version of the tools that has separated layers for parsing, validating and reading files. We want to bring this branch to main soon and then keep the current, stable version next to it. I would advise you to take a look at the refactored version, which has breaking changes to the current one, and consider using it in the future. The current version on main will get after the switch only bug fixes, but tend to get no new features in the future.

armintaenzertng commented 1 year ago

FYI: the refactored version of spdx/tools-python can now be found on the main branch.

mxmehl commented 1 month ago

Related to #394