You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a python project with requirements.txt file that contains some dependencies like this one : "cryptography>=3.2.1,<43.0.0", when generating the Sbom using cdxgen -t python -o SBOM.json, I have pkg:pypi/cryptography@3.2.1%2C%3C43.0.0, which missed the precision, or sometimes like pkg:pypi/test@latest, is there is any way to have exactly the installed version in the sbom output ?
The text was updated successfully, but these errors were encountered:
@MohammedAziz02, python is an extremely challenging language. Given a version specifier like your example, different combination of python + pip might install completely different versions of direct and indirect dependencies. Here is how I personally generate the SBOM:
Set up a virtual environment
Install the required devel packages in the OS
pip install within the virtual environment. Resolve all the build errors.
Run cdxgen from within the virtual environment in --deep mode
Sometimes, using the container image of cdxgen might help, especially when using Windows or Mac, where many python dependencies wouldn't install correctly.
Always run cdxgen with the environment variable CDXGEN_DEBUG_MODE=debug which will list all build errors.
I have a python project with requirements.txt file that contains some dependencies like this one : "cryptography>=3.2.1,<43.0.0", when generating the Sbom using cdxgen -t python -o SBOM.json, I have pkg:pypi/cryptography@3.2.1%2C%3C43.0.0, which missed the precision, or sometimes like pkg:pypi/test@latest, is there is any way to have exactly the installed version in the sbom output ?
The text was updated successfully, but these errors were encountered: