Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pick an SBOM format #3

Closed
woodruffw opened this issue Sep 2, 2021 · 4 comments
Closed

Pick an SBOM format #3

woodruffw opened this issue Sep 2, 2021 · 4 comments
Assignees
@woodruffw
Labels
component:cli CLI components
Milestone
Stable Release

Comments

@woodruffw
Copy link
Member

Emitting a well-known SBOM format is a lower priority, but it's something we specified in the proposal.

Two good options are SPDX and CycloneDX; we should determine:

  • Which one(s) have good, maintained Python APIs
  • Which one(s) have community adoption
@woodruffw
Copy link
Member Author

Related: here's CycloneDX's (official?) Python module: https://github.com/CycloneDX/cyclonedx-python

@woodruffw woodruffw mentioned this issue Sep 2, 2021
Closed
@stevespringett
Copy link

stevespringett commented Sep 14, 2021
edited
Loading

There's also https://github.com/CycloneDX/cyclonedx-python-lib which is a reusable library containing the model and serializations to JSON and XML. https://github.com/CycloneDX/cyclonedx-python builds on top of the python library.

Let us know if you have any questions implementing CycloneDX. There's a vibrant community of adopters and implementors in the project Slack workspace.

And yes, they are both officially supported implementations.

@woodruffw
Copy link
Member Author

Thanks for linking those!

@tetsuo-cpp tetsuo-cpp self-assigned this Sep 16, 2021
@di di added this to the Follow-on milestone Oct 26, 2021
@di di mentioned this issue Oct 26, 2021
Closed
@woodruffw woodruffw modified the milestones: Follow-on, Stable Release Oct 26, 2021
@tetsuo-cpp tetsuo-cpp removed their assignment Oct 27, 2021
@woodruffw woodruffw self-assigned this Oct 27, 2021
@woodruffw woodruffw added the component:cli CLI components label Oct 28, 2021
@woodruffw
Copy link
Member Author

Based on the current maturity of the Python SPDX ecosystem, I'm inclined to say that we should go with CycloneDX for now. We'll probably want to use cyclonedx-python-lib directly, rather than the cyclonedx-python tool.

Some braindump notes:

  • The Bom model is the heart of the library -- we'll want to construct one, either from a "parser" (it looks like they support a sub/superset of our dependency sources directly), or manually by visiting each entry in an abstract dependency source. The latter might be more reliable, since some of their parsers (e.g. the requirements ones) won't function fully unless every dependency is pinned.

Closing so that we can formally unblock #77.

@lumjjb lumjjb mentioned this issue Apr 22, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@woodruffw woodruffw

Labels
component:cli CLI components
Projects
None yet
Milestone
Stable Release
Development

No branches or pull requests
4 participants
@di @woodruffw @stevespringett @tetsuo-cpp