Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a SBOM command-line generator tool. #191

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

licquia
Copy link
Collaborator

@licquia licquia commented Sep 20, 2021

This patch add the sbom_generator utility, which examines a Python
project and outputs a SPDX SBOM to standard output.

Fixes #171.

Signed-off-by: Jeff Licquia [email protected]

This patch add the sbom_generator utility, which examines a Python
project and outputs a SPDX SBOM to standard output.

Fixes spdx#171.

Signed-off-by: Jeff Licquia <[email protected]>
@licquia
Copy link
Collaborator Author

licquia commented Sep 20, 2021

Addressing feedback from the previous PR (#170):

  • I've improved the docs to be in line with the other CLI tools. It doesn't appear any of the tools have tests, which I agree we should have.
  • I've also added a note to the docs describing the importlib_metadata dependency; it is only needed for Python 3.7 or earlier.

I'll leave the question of whether we need this as a CLI tool for others to discuss; suffice it to say that there is demand for this kind of tool.

Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@licquia thanks for the udpate!
In #170 (review) I wrote:

this would be best in the examples directory or a separate repo especially since this is making outgoing networks calls on a whole current installation.
This would benefit from some doc and tests
This introduces an undeclared dependency with importlib_metadata

Making network calls in the core SPDX parsing library is not something that is going to be acceptable for corporate users that run in an isolated network. There is also no tests. Do you mind to move this to the examples/ directory instead?

@licquia
Copy link
Collaborator Author

licquia commented Oct 18, 2021

No network calls were introduced into the library, just the command-line utility. If this is a sticking point for the project, I could add a bracket option that could drop the command-line tools, as I expect folks who are that concerned about spurious command-line tools may well want the others dropped as well.

As I mentioned in my PR, the new utility has the exact same number of tests as the other utilities that are included. I hope to submit a PR for better tests for all the command-line utilities at some point.

As for moving to examples: the whole point of this PR is to make it possible for people to generate SBOMs for Python projects easily. Making the SBOM tool impossible to run without post-install manipulation does not meet the goal. Basically, we need to be able to do:

pip install spdx-tools
make_an_sbom_for_my_project

(whatever that latter command looks like). If you have a better idea for making that possible, I'm all ears.

@maxhbr
Copy link
Member

maxhbr commented Nov 8, 2022

Hey, I am not sure if we would want to have that within the tools. I would assume that we should focus on the library first. Especially since that is in the meantime solved by https://github.com/nexB/python-inspector

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add sbom_generator command-line tool
3 participants