|
| 1 | +# python_sbom: generate a software bill of materials |
| 2 | + |
| 3 | +Generate a software bill of materials for your Python project in SPDX. |
| 4 | +No hassle, no fancy features, just get the job done. |
| 5 | + |
| 6 | +## Installation |
| 7 | + |
| 8 | +At the moment, python_sbom is not in PyPI, which means you'll have to |
| 9 | +install it via pip manually. Compounding this, it uses an enhanced |
| 10 | +version of spdx-tools, which you'll need to also install manually. In |
| 11 | +the future, we hope to get both problems fixed. |
| 12 | + |
| 13 | +Until then, use pip to get what you need: |
| 14 | + |
| 15 | + pip install git+https://github.com/licquia/tools-python.git@unified#egg=spdx-tools |
| 16 | + pip install git+https://github.com/licquia/python_sbom.git#egg=python_sbom |
| 17 | + |
| 18 | +Do this in your build environment, using your build tool of choice |
| 19 | +and/or your virtualenv of choice. If you're using an advanced build |
| 20 | +tool, you could add those two repositories as development |
| 21 | +dependencies, to guarantee they're installed every time. |
| 22 | + |
| 23 | +Long-term, we're hoping you can just run this to install: |
| 24 | + |
| 25 | + pip install python_sbom |
| 26 | + |
| 27 | +## Simple Usage |
| 28 | + |
| 29 | +Then, simply run the tool: |
| 30 | + |
| 31 | + python_sbom [name of your project] > sbom.spdx |
| 32 | + |
| 33 | +## API |
| 34 | + |
| 35 | +If you'd prefer, you can generate your SBOM in Python, and do other |
| 36 | +interesting things to it. To do this, follow the installation |
| 37 | +instructions above, then do something like this: |
| 38 | + |
| 39 | + import python_sbom |
| 40 | + spdx_output = python_sbom.generate(my_project_name) |
| 41 | + |
| 42 | +## Limitations |
| 43 | + |
| 44 | +This being an early version of the tool, there are a few details yet |
| 45 | +to be handled the best way: |
| 46 | + |
| 47 | +* We don't auto-detect your project name from your source directory. |
| 48 | +* Also, if you're running this on a build from a source directory |
| 49 | + (such as in a CI system), we can't pick up on your project's |
| 50 | + information unless the project is itself installed into your |
| 51 | + execution environment. If you run an install step, this likely |
| 52 | + won't be a problem, but if not, you'll want to install the project |
| 53 | + into your environment in "editable mode", which makes the metadata |
| 54 | + for your project available in the environment itself. Different |
| 55 | + build tools support doing this in different ways. |
| 56 | + |
| 57 | +## License |
| 58 | + |
| 59 | +* Free software: Apache Software License 2.0 |
| 60 | + |
| 61 | +Credits |
| 62 | +------- |
| 63 | + |
| 64 | +This package was created with Cookiecutter_ and the `audreyr/cookiecutter-pypackage`_ project template. |
| 65 | + |
| 66 | +.. _Cookiecutter: https://github.com/audreyr/cookiecutter |
| 67 | +.. _`audreyr/cookiecutter-pypackage`: https://github.com/audreyr/cookiecutter-pypackage |
0 commit comments