Seth Michael Larson
Seth Michael Larson
@layday Thanks for reporting this, we'll update and get a new version published.
@davisagli You read my mind! ✨
Noting here that we're running into the same problem for projects like CPython, there is no ecosystem value for OSV that matches PURL's "generic" ecosystem.
@oliverchang Thanks for the suggestions! I believe https://github.com/ossf/osv-schema/issues/94#issuecomment-1486192372 would work for CPython's use-case if I'm reading it correctly, essentially omitting the `affected.package` key altogether and use only `ranges` and `versions`...
jenkins test this please
Sorry @Kludex, I don't have any access to the `h11` project on PyPI. Only @njsmith and @pgjones would be able to help here. If either of those two are interested...
The `--dry-run`, `--ignore-installed`, and `--report` flags would be super useful for hooking into pip's resolving logic to generate an SBOM given a `requirements.txt` or some other series of requirements without...
I'm talking about a [file like this one](https://github.com/python/release-tools/blob/master/requirements.txt), I discovered this while using `--only-binary=:all:` for python/release-tools: ``` # # This file is autogenerated by pip-compile with Python 3.10 # by...
@webknjaz I've created a PR with a fix that also illustrates the problem: https://github.com/jazzband/pip-tools/pull/2082