Skip to content

Refactor/optional SBOM dependencies #134

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Refactor/optional SBOM dependencies #134

wants to merge 3 commits into from

Conversation

@tamilari
Copy link
Contributor

@tamilari tamilari commented Nov 28, 2025

Previously, both libraries were always required, even if a user only intended to use one format, which would lead to errors if the unused dependency was missing. Now, users only need to install the specific dependency for the SBOM format they wish to use. This also means that missing dependency errors are now more precise, occurring only when a user tries to execute a command for a format whose required library is not installed.
This update may simplify packaging efforts for distributions like Debian, as debsbom can now be packaged with just python3-cyclonedx-lib even if a spdx-tools package is not yet available.

@tamilari tamilari force-pushed the refactor/optional-sbom-dependencies branch from 93a25ae to 1f491c5 Compare November 28, 2025 10:18
@Urist-McGit
Copy link
Collaborator

Urist-McGit commented Nov 28, 2025

Nit: 2cba7a1 is not really a fix. It worked as intended before and is just a style issue since we take the reexport instead of the direct one. So I would suggest to change it to chore(export) and remove the fixes tag

@tamilari
chore(export): correct GraphExporter import
af9d375 
Signed-off-by: Tamino Larisch <[email protected]>
@tamilari
feat: make cdx and spdx dependencies optional
75e4e23 
Previously, both libraries were always required, even if a user only
intended to use one format, which would lead to errors if the unused
dependency was missing. Now, users only need to install the specific
dependency for the SBOM format they wish to use. This also means that
missing dependency errors are now more precise, occurring only when a
user tries to execute a command for a format whose required library is
not installed.
This update may simplify packaging efforts for
distributions like Debian, as `debsbom` can now be packaged with just
`python3-cyclonedx-lib` even if a `spdx-tools` package is not yet
available.

Signed-off-by: Tamino Larisch <[email protected]>
@tamilari
docs(starting): fix venv installation instruction
b890fe4 
Signed-off-by: Tamino Larisch <[email protected]>
@tamilari tamilari force-pushed the refactor/optional-sbom-dependencies branch from 1f491c5 to b890fe4 Compare November 28, 2025 10:59
@tamilari
Copy link
Contributor Author

tamilari commented Nov 28, 2025

Nit: 2cba7a1 is not really a fix. It worked as intended before and is just a style issue since we take the reexport instead of the direct one. So I would suggest to change it to chore(export) and remove the fixes tag

With the new changes, it wouldn't work like this. But yes, I agree, before it was just a style issue. Changed it 👍

@tamilari tamilari mentioned this pull request Nov 28, 2025
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tamilari @Urist-McGit