Replies: 2 comments 3 replies
-
|
Thanks @potiuk for the detailed write up! Via cli we can pass --lifecycle pre-build to skip all pip install commands. Not sure if this is supported via the server mode yet though. |
Beta Was this translation helpful? Give feedback.
-
|
Ah- that's cool. I do not see it in the docs - https://cyclonedx.github.io/cdxgen/#/SERVER?id=server-arguments - any way to make it happen? |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
|
Fixed in lates version. Cool :) |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for your confirmation and support! |
Beta Was this translation helpful? Give feedback.
-
Currently when you pass Python requirements.txt to cdxgen it attempts to install the requirements to get all transitive dependencies. The
--no-install-depsfor server andinstallDepsfor server only work apparently when you have poetry.lock or pipenv.lock file.This is a good strategy, because you want to get all of the dependencies, but there are some cases, where this is not needed, takes time and produced "probable build errors" message. We are using cdxgen to generate airflow SBOM files (example results here https://airflow.apache.org/docs/apache-airflow/stable/sbom/) but airflow has 719 dependencies (!) and installing them requires specific environment (a number of system libraries, build tools etc. might be needed). And what we are passing to cdxgen as
requirements.txtis complete list of ALL depencences - inclusing all transitive ones, because we use them as constraints and we get the list as result ofpip freezeafter installing airflow in our CI environment. So there is absolutley no need to install those requirements.txt.Here you can see the constraints files (And we keep history of those in git): https://github.com/apache/airflow/tree/constraints-main
Currently when we attempt to run our requirements.txt cdxgen image will attempt to install them and build fails. When we try to run cdxgen in our CI image with all dependencies instlaled - it still attempts to install all of them (even if they are installed in current python environment) and I never had enough patience to wait for it because it seems to install then one-by-one. And it takes extra time to generate those (still the generated SBOM is correct even if pip installation failed at some point in time).
Our requirements.txt contains all 719 or so dependencies pinned - and we know they are conistently installable (pass pip check) and those are ALL requirements.
Would it be possible to add an option to skip install also for requirements.txt ?
Beta Was this translation helpful? Give feedback.
All reactions