The best way to generate a SBOM for a python project?

[MohammedAziz02]

I have a python project with requirements.txt file that contains some dependencies like this one : "cryptography>=3.2.1,<43.0.0", when generating the Sbom using cdxgen -t python -o SBOM.json, I have pkg:pypi/cryptography@3.2.1%2C%3C43.0.0, which missed the precision, or sometimes like pkg:pypi/test@latest, is there is any way to have exactly the installed version in the sbom output ?

[prabhu]

@MohammedAziz02, python is an extremely challenging language. Given a version specifier like your example, different combination of python + pip might install completely different versions of direct and indirect dependencies. Here is how I personally generate the SBOM:

• Set up a virtual environment
• Install the required devel packages in the OS
• pip install within the virtual environment. Resolve all the build errors.
• Run cdxgen from within the virtual environment in --deep mode

Sometimes, using the container image of cdxgen might help, especially when using Windows or Mac, where many python dependencies wouldn't install correctly.

Always run cdxgen with the environment variable CDXGEN_DEBUG_MODE=debug which will list all build errors.

[prabhu]

You can also give the new un-official python image a try. Run the below command from within the application directory.

docker run --rm -e CDXGEN_DEBUG_MODE=debug -v /tmp:/tmp -v $(pwd):/app -it ghcr.io/appthreat/cdxgen-python:v10 -r -o /app/bom.json /app -t python --deep