You can find the associated container to this release here.
All releases are published automatically on PyPI. You can install it by running pip install debsbom[download].
Improvements
- Always include
packagefield in download result when using the--jsonoption for thedownloadcommand
It was optional before, now it is always there. - Add PURL field to download result when using the
--jsonoption for thedownloadcommand - Add
--mtimeoption forrepackandsource-mergecommands
This option sets a custom timestamp for the created tarballs. If this option is not set, the timestamp from the most recent changelog is used, as before. - Checksum matching is now done in a defined order if there are multiple available, with the best algorithms being tried first
- Improve handling of malformed apt-cache data
- Improve error messages for malformed package lists
- Add
--skip-pkgsoption to thedownloadcommand
This new option allows us to skip a select number of packages. This is useful if one does not want to leak private package names to the snapshot mirror. - Add VCS information to SBOM
Debian source packages may contain information about the used VCS and provide a link to it. Include this information in the SBOM as it might be useful for repository analysis and other purposes.
Bug fixes
- Fixed residual config packages being placed in SBOMs
Packages that are not properly installed showed up in the SBOM before and only their dependency resolution was disabled. Properly remove them now. - Actually use the output directory specified by the
--outputoption for thesource-mergecommand - Fix incorrect application of patches for the
repackcommand
When using the--apply-patchesflag we previously always skipped the inclusion of the.pcdirectory, essentially ignoring the flag. - Fix wrong inclusion of
orig.tartarballs for therepackcommand
Documentation
- Document many design decisions
- Use
relationshipinstead ofrelationwhen describing Debian package relationships
This is the terminology used in the Debian documentation, so we stay consistent with it.