Request for Solution to Generate PERFECT BOM in Python Repositories Without Lock Files

[sanjayrajesh]

Hi,

I've been testing Cdxgen for Python and found that it generates accurate BOMs when a pipfile.lock or poetry.lock is present in the project.

In our product, we process various Python repositories to generate BOMs. However, when a lock file is not present, we attempt to run pipenv install on the requirements.txt file. Unfortunately, we encounter errors in some repositories, which leads to failures in generating the pipfile.lock. As a result, the BOM generation fails and returns an empty BOM.

Is there any way to generate a proper BOM (A perfect BOM without missing the Top-level dependencies and its transitive dependencies) in such cases where the build fails and no lock file is available?

Any guidance or potential solutions would be appreciated. Thanks!

[prabhu]

Example repos will help. cdxgen can also automatically create a virtual env and recover a good quality sbom including the dependency tree for projects without a lock file. There are also new python types such as python39, python310 etc, to specify the exact python version to try.

[sanjayrajesh]

Works fine with the ghcr.io/appthreat/cdxgen-python311:v10 image.

docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/appthreat/cdxgen-python311:v10 -r /app -o /app/bom.json -t python

Although this repo failed https://github.com/sanjayrajesh/dvpwa.git in this unofficial python image.

[prabhu]

It is a never ending cycle of trying with various python versions and adding missing OS libraries to the container image.

[sanjayrajesh]

ok @prabhu, So where can I find the Dockerfile of these images.

[prabhu]

https://github.com/AppThreat/base-images

[sanjayrajesh]

@prabhu, I have one doubt. If a Python repo has requirements.txt, Pipfile and Pipfile.lock file, which one will be taken by Cdxgen to produce BOM? Will it consider all the 3 or just one?

What is the priority factor for these files? I am asking this because some times the Developers fail to update the Pipfile.lock after they add new packages in requirements.txt file. So these files will have different number of Packages.

[prabhu]

Language specific container images are now available under the CycloneDX org.