spdx
Add a SBOM command-line generator tool.
This patch add the sbom_generator utility, which examines a Python project and outputs a SPDX SBOM to standard output.
Fixes #171.
Signed-off-by: Jeff Licquia [email protected]
Addressing feedback from the previous PR (#170):
- I've improved the docs to be in line with the other CLI tools. It doesn't appear any of the tools have tests, which I agree we should have.
- I've also added a note to the docs describing the importlib_metadata dependency; it is only needed for Python 3.7 or earlier.
I'll leave the question of whether we need this as a CLI tool for others to discuss; suffice it to say that there is demand for this kind of tool.
No network calls were introduced into the library, just the command-line utility. If this is a sticking point for the project, I could add a bracket option that could drop the command-line tools, as I expect folks who are that concerned about spurious command-line tools may well want the others dropped as well.
As I mentioned in my PR, the new utility has the exact same number of tests as the other utilities that are included. I hope to submit a PR for better tests for all the command-line utilities at some point.
As for moving to examples: the whole point of this PR is to make it possible for people to generate SBOMs for Python projects easily. Making the SBOM tool impossible to run without post-install manipulation does not meet the goal. Basically, we need to be able to do:
pip install spdx-tools
make_an_sbom_for_my_project
(whatever that latter command looks like). If you have a better idea for making that possible, I'm all ears.
Hey, I am not sure if we would want to have that within the tools. I would assume that we should focus on the library first. Especially since that is in the meantime solved by https://github.com/nexB/python-inspector
