-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a SBOM command-line generator tool. #191
base: main
Are you sure you want to change the base?
Conversation
This patch add the sbom_generator utility, which examines a Python project and outputs a SPDX SBOM to standard output. Fixes spdx#171. Signed-off-by: Jeff Licquia <[email protected]>
Addressing feedback from the previous PR (#170):
I'll leave the question of whether we need this as a CLI tool for others to discuss; suffice it to say that there is demand for this kind of tool. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@licquia thanks for the udpate!
In #170 (review) I wrote:
this would be best in the examples directory or a separate repo especially since this is making outgoing networks calls on a whole current installation.
This would benefit from some doc and tests
This introduces an undeclared dependency with importlib_metadata
Making network calls in the core SPDX parsing library is not something that is going to be acceptable for corporate users that run in an isolated network. There is also no tests. Do you mind to move this to the examples/
directory instead?
No network calls were introduced into the library, just the command-line utility. If this is a sticking point for the project, I could add a bracket option that could drop the command-line tools, as I expect folks who are that concerned about spurious command-line tools may well want the others dropped as well. As I mentioned in my PR, the new utility has the exact same number of tests as the other utilities that are included. I hope to submit a PR for better tests for all the command-line utilities at some point. As for moving to
(whatever that latter command looks like). If you have a better idea for making that possible, I'm all ears. |
Hey, I am not sure if we would want to have that within the tools. I would assume that we should focus on the library first. Especially since that is in the meantime solved by https://github.com/nexB/python-inspector |
This patch add the sbom_generator utility, which examines a Python
project and outputs a SPDX SBOM to standard output.
Fixes #171.
Signed-off-by: Jeff Licquia [email protected]