You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As discussed in #393 (reply in thread) the specific version of Python that a piece of software is run with is an important part of its dependencies.
Therefore, although the Python version isn't usually bundled with a piece of software, it can be useful to know what version was used when the SBOM was generated - ideally, because that is the same version it is deployed with or was used to build the wheel.
For internal tools, it provides visibility into which Python versions are being used.
Limitations:
Especially if a tool isn't package but simply deployed, it can be used with any Python version that supports all features it uses, and the SBOM cannot accurately reflect that. This could potentially be misleading.
The text was updated successfully, but these errors were encountered:
adding external components, like a runtime, is not yet possible in CycloneDX.
Well, it is possible, but to a insufficient extend.
The CycloneDX specification team is aware that "external dependencies" are a thing.
We will be working to have this feature available in the spec.
see CycloneDX/specification#321
After the spec is formally enabling this feature, we could discuss implementation details here.
As discussed in #393 (reply in thread) the specific version of Python that a piece of software is run with is an important part of its dependencies.
Therefore, although the Python version isn't usually bundled with a piece of software, it can be useful to know what version was used when the SBOM was generated - ideally, because that is the same version it is deployed with or was used to build the wheel.
For internal tools, it provides visibility into which Python versions are being used.
Limitations:
Especially if a tool isn't package but simply deployed, it can be used with any Python version that supports all features it uses, and the SBOM cannot accurately reflect that. This could potentially be misleading.
The text was updated successfully, but these errors were encountered: