Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature Request: Include Python version in SBOM #597

Open
KramNamez opened this issue Oct 13, 2023 · 1 comment
Open

Feature Request: Include Python version in SBOM #597

KramNamez opened this issue Oct 13, 2023 · 1 comment
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@KramNamez
Copy link

As discussed in #393 (reply in thread) the specific version of Python that a piece of software is run with is an important part of its dependencies.

Therefore, although the Python version isn't usually bundled with a piece of software, it can be useful to know what version was used when the SBOM was generated - ideally, because that is the same version it is deployed with or was used to build the wheel.

For internal tools, it provides visibility into which Python versions are being used.

Limitations:
Especially if a tool isn't package but simply deployed, it can be used with any Python version that supports all features it uses, and the SBOM cannot accurately reflect that. This could potentially be misleading.

@jkowalleck
Copy link
Member

jkowalleck commented Oct 13, 2023

adding external components, like a runtime, is not yet possible in CycloneDX.
Well, it is possible, but to a insufficient extend.

The CycloneDX specification team is aware that "external dependencies" are a thing.
We will be working to have this feature available in the spec.
see CycloneDX/specification#321

After the spec is formally enabling this feature, we could discuss implementation details here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

2 participants