Generating SBOM for Python Projects. #1166
MohammedAziz02
started this conversation in
Ideas
Replies: 2 comments 6 replies
-
@MohammedAziz02 This is a good observation. Are there any errors reported by cdxgen with the DEBUG environment variable? I remember adding a message or a comment that essentially says some SBOM is better than no SBOM, since the state of the virtual environment could be erroneous. |
Beta Was this translation helpful? Give feedback.
6 replies
-
Please test with the master branch. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi @prabhu,
When I generate the SBOM for the same Python repository dbt-oracle using the command cdxgen -t python -o sbom.json --spec-version 1.4, even with cdxgen -t python -o sbom.json --spec-version 1.4 --deep, I encounter different results in the dependencies graph. Here are the observations:
{
"ref": "pkg:pypi/[email protected]",
"dependsOn": [
"pkg:pypi/[email protected]",
"pkg:pypi/[email protected]", // this one does not exist in 2
"pkg:pypi/[email protected]", // this one does not exist in 2
"pkg:pypi/[email protected]",
"pkg:pypi/[email protected]", // this one does not exist in 2
"pkg:pypi/[email protected]",
"pkg:pypi/[email protected]", // this one does not exist in 2
"pkg:pypi/[email protected]", // this one does not exist in 2
"pkg:pypi/[email protected]",
"pkg:pypi/[email protected]", // this one does not exist in 2
"pkg:pypi/[email protected]", // this one does not exist in 2
"pkg:pypi/[email protected]",
"pkg:pypi/[email protected]", // this one does not exist in 2
"pkg:pypi/[email protected]", // this one does not exist in 2
"pkg:pypi/[email protected]", // this one does not exist in 2
"pkg:pypi/[email protected]",
"pkg:pypi/[email protected]", // this one does not exist in 2
"pkg:pypi/[email protected]",
"pkg:pypi/[email protected]" // this one does not exist in 2
]
}
{
"ref": "pkg:pypi/[email protected]",
"dependsOn": [
"pkg:pypi/[email protected]",
"pkg:pypi/[email protected]",
"pkg:pypi/[email protected]",
"pkg:pypi/[email protected]",
"pkg:pypi/[email protected]",
"pkg:pypi/[email protected]", // this one does not exist in 1
"pkg:pypi/[email protected]", // this one does not exist in 1
"pkg:pypi/[email protected]",
"pkg:pypi/[email protected]" // this one does not exist in 1
]
}
I examined the Python script here and noticed that the order of dependencies impacts the results. the code does not handle cycles effectively. For instance, if we have a cycle such as A -> B and B -> A, the resulting graph will be incorrect.
Beta Was this translation helpful? Give feedback.
All reactions