Summary
We want to deliver SPDX SBOMs with our modules. They should contain all runtime dependencies and license information.
Details
In our poetry-based setup the most convenient way to get to and SPDX SBOM is a two step approach with CycloneDX:
cyclonedx-py poetry -o bom.cdx.json
cyclonedx convert --input-file bom.cdx.json --input-format json --output-file bom.spdx.json --output-format spdxjson
Background & Context
SBOMs are consumed by security and compliance scanners to determine if there are vulnerabilities and / or non-compliant licenses in a project.
References
- https://spdx.dev/
- https://cyclonedx.org/
Summary
We want to deliver SPDX SBOMs with our modules. They should contain all runtime dependencies and license information.
Details
In our poetry-based setup the most convenient way to get to and SPDX SBOM is a two step approach with CycloneDX:
Background & Context
SBOMs are consumed by security and compliance scanners to determine if there are vulnerabilities and / or non-compliant licenses in a project.
References