allow to check from requirements.txt file without installing

[stdedos]

Also useful could be to ignore packages listed in a requirements.txt file (e.g. requirements-dev.txt)

[nejch]

Just a weekend brain dump from me as I use a combination of pip-licenses and cyclonedx-python to get all I need to extract metadata for various packages.

pip-licenses does a better job of extracting licenses (and especially finding license texts from files), while cyclonedx-python supports more data sources (poetry, requirements, etc). If this is implemented here, instead of reimplementing it, might be better to reuse cyclonedx-python's parsers (or its underlying libraries) and have pip-licenses work as a wrapper for output.

I haven't compared the sources enough to be able to tell if it's feasible, but just an idea before I forget :)

Edit: of course, as also stated in https://cyclonedx-bom-tool.readthedocs.io/en/latest/usage.html#parser-schema-support, static analysis of these files without installing has its limitations as you don't get the entire dependency graph without installing or making API calls to pypi or so.

[beutlich]

Just a weekend brain dump from me as I use a combination of pip-licenses and cyclonedx-python to get all I need to extract metadata for various packages.

@nejch Can you please elaborate what you do exactly. I had the same scenario in mind. Thanks a lot!