Open Niccolum opened 3 years ago
Just a weekend brain dump from me as I use a combination of pip-licenses
and cyclonedx-python
to get all I need to extract metadata for various packages.
pip-licenses does a better job of extracting licenses (and especially finding license texts from files), while cyclonedx-python supports more data sources (poetry, requirements, etc). If this is implemented here, instead of reimplementing it, might be better to reuse cyclonedx-python's parsers (or its underlying libraries) and have pip-licenses work as a wrapper for output.
I haven't compared the sources enough to be able to tell if it's feasible, but just an idea before I forget :)
Edit: of course, as also stated in https://cyclonedx-bom-tool.readthedocs.io/en/latest/usage.html#parser-schema-support, static analysis of these files without installing has its limitations as you don't get the entire dependency graph without installing or making API calls to pypi or so.
Just a weekend brain dump from me as I use a combination of
pip-licenses
andcyclonedx-python
to get all I need to extract metadata for various packages.
@nejch Can you please elaborate what you do exactly. I had the same scenario in mind. Thanks a lot!
Also useful could be to ignore packages listed in a requirements.txt file (e.g.
requirements-dev.txt
)