Skip to content

Add support for generating an SBOM #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pradyunsg merged 2 commits into from
May 1, 2025
Merged

Add support for generating an SBOM #66

pradyunsg merged 2 commits into from
May 1, 2025

Conversation

@sethmlarson
Copy link
Contributor

@sethmlarson sethmlarson commented Mar 6, 2025
edited
Loading

Adds a new sbom-file option to the config where a CycloneDX SBOM will be generated for the vendored packages. Closes #64

This PR depends on #65

@pfmoore pfmoore mentioned this pull request Apr 20, 2025
Merged
@pradyunsg
Copy link
Owner

pradyunsg commented Apr 21, 2025

Hmm... @sethmlarson Would you be interested in investigating how to make the CI green here?

@sethmlarson
Copy link
Contributor Author

sethmlarson commented Apr 24, 2025

@pradyunsg Yep! I rebased on main and now the tests and pre-commit are passing. Please take a look :)

@sethmlarson sethmlarson mentioned this pull request Apr 30, 2025
Merged
@sethmlarson
Copy link
Contributor Author

sethmlarson commented Apr 30, 2025

@pradyunsg Alright this PR is green now, I had to upgrade the pre-commit action to v3.0.1 (which doesn't have any relevant breaking changes for this project).

@pradyunsg pradyunsg merged commit 1b3b115 into pradyunsg:main May 1, 2025
5 checks passed
@ogrisel ogrisel mentioned this pull request May 9, 2025
Open
2 tasks
@ogrisel
Copy link

ogrisel commented May 12, 2025
edited
Loading

@pradyunsg the scikit-learn project is considering using vendoring to generate SBOM metadata files for its vendored dependencies: scikit-learn/scikit-learn#31343

However, vendoring has now been officially released in years. I understand that it's primarily meant as a slow moving maintenance utility for pip itself and not much for other projects, and I guess that might explain why you don't feel the need to publish official releases.

Still, I am wondering if you plan to make cut a new release at some point to include SBOM generation. Otherwise, I guess we (scikit-learn maintainers) can pip install a pinned commit hash instead.

@pradyunsg
Copy link
Owner

pradyunsg commented May 12, 2025
edited
Loading

I can cut a release soon -- not today though. It'll depend on when I find time in the coming days (I'm traveling for PyCon US, so idk what free time is gonna look like for me).

If I haven't done so by 20th, could I ask you to keep me honest and @-mention me here? 😅

@sethmlarson
Copy link
Contributor Author

sethmlarson commented May 23, 2025

@pradyunsg I know we wanted to get to it at PyCon US, but giving you your requested ping 💜 Thanks for the merge!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pradyunsg pradyunsg pradyunsg approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add support for generating an SBOM documents

3 participants

@sethmlarson @pradyunsg @ogrisel