Skip to content

feat: mark SBOM from requirements as "incomplete" #898

New issue
New issue
Open
Open
feat: mark SBOM from requirements as "incomplete"#898
Labels
enhancementNew feature or requesthelp wantedExtra attention is neededsource: requirements
@jkowalleck

Description

@jkowalleck
jkowalleck
opened on May 13, 2025

Is your feature request related to a problem? Please describe.

when generating an SBOM from a requirements.txt, it is currently not planned to pull transitive depednencies.
therefore, the SBOM might be incomplete.
this shall eb stated via CycloneDX compositition

Describe the solution you'd like

when generating an SBOM from a requirements.txt,
for the rtoot component: the dependency composition completeness is set to "incomplete_first_party_only" - see https://cyclonedx.org/guides/OWASP_CycloneDX-Authoritative-Guide-to-SBOM-en.pdf page 59

also: add a CLI flag to set this value according to spec - https://cyclonedx.org/docs/1.6/json/#compositions_items_aggregate

Describe alternatives you've considered

/

Additional context

/

Contribution

  • I am willing to provide an implementation
  • I will wait until somebody else implements it

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requesthelp wantedExtra attention is neededsource: requirements

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions