How a package "dependencies" generated and added to SBOM?

[gillytron]

👋 Hello!

I am currently learning the concepts behind CycloneDX , how it works and how to work with cyclonedx-python library.

I've managed to create a SBOM file from the requirements.txt file (with pinned down versions using pip freeze), however, I'm struggling to understand how to make use of dependencies for my project's components, would it not be the case that whatever package dependencies a library has, it would be added to the SBOM under dependsOn?

For example, pandas depends on numpy, is it correct to assume that my SBOM should include the following under its dependencies?

"dependencies": [
        {
            "ref": "{PANDAS REF# }",
            "dependsOn": [ {PKG URL NUMPY }]
        }

thanks

[jkowalleck]

Your assumption is correct.

Producing the desired data structures is not an issue. see CycloneDX/cyclonedx-python-lib#7

Gathering the data sources is the problem.
A pure requirements.txt does not have this information present. Unlike poetry's lock file or pipenv's lock files, which have the dependencies and everything.

see also: #40

[gillytron]

Brill, thank you for the guidance. I'll have a look into pipenv

[cdreinecke]

@jkowalleck I have been using pipenv to generate the Pipfile.lock, but am not getting any libraries added to the "dependsOn" fields. Using the pipenv graph, I can see the dependencies are displaying as I expect.

Using pipenv, I installed pandas (and it's dependencies).
$ pipenv install pandas

From there, I ran cyclonedx-bom:
$ python -m cyclonedx_py --format json -o sbom.json -F -X -pip -i Pipfile.lock

In my resulting SBOM, every dependsOn field is [].

Is there something wrong with how I am generating the pip lock file or executing cyclonedx-python? Thank you very much for your assistance!

[jkowalleck]

the current version does not support dependency graphs.

the UPCOMING VERSION will have this feature.
Rewriting the Pipenv lockfile parser is an open task, feel free to contribute, to speed things up.