Replies: 1 comment 1 reply
-
|
Good idea. I would ideally expect the dependency tree to get recovered with the piptree.js plugin that we have. Any errors during the pip install step shown in debug or verbose mode? |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
@Kristouff I spent some time implementing a parser for the via comments. In the end, I found that our piptree plugin is more accurate and deeper than comments left by pip-tools. I would suggest setting up a buildable environment with the correct version of Python installed and generating a build SBOM (instead of a pre-build one). |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi everyone,
I am trying to generate a SBOM with cdxgen for a python project.
My project has some dependencies managed with piptools.
I have a requirements.in input file with primary dependencies listed
From which I generate a requirements.txt using pip-compile containing all transitive dependencies documented through annotations
When I generate a SBOM using cdxgen, all dependencies are flattened.
Is there a way to make cdxgen take into account the dependency tree described by piptools annotations ?
Thanks
Christophe
Beta Was this translation helpful? Give feedback.
All reactions