Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate SBOM during build/release process #3540

Open
ocelotl opened this issue Nov 21, 2023 · 3 comments · May be fixed by #3805
Open

Generate SBOM during build/release process #3540

ocelotl opened this issue Nov 21, 2023 · 3 comments · May be fixed by #3805
Assignees
@ocelotl
Labels
feature-request

Comments

@ocelotl
Copy link
Contributor

ocelotl commented Nov 21, 2023

As per this.
@ocelotl ocelotl self-assigned this Nov 21, 2023
@ocelotl
Copy link
Contributor Author

ocelotl commented Nov 22, 2023

There are several SBOM formats.

Apparently, there has not yet been a decision made on which format we will be using.

I have found 2 tools that generate SBOM files, Syft and CycloneDX. The first one can generate an SBOM in several formats (including CycloneDX format) and the second one can generate an SBOM in CycloneDX format.

Both of them seem to require a definition of a virtual environment, either in a pipfile.lock or a poetry.lock or a requirements.txt or something similar. None of them seem capable yet of directly using a pyproject.toml file.

In order to use them I created an empty virtual environment, activated it, ran pip install opentelemetry-sdk, pip freeze > requirements.txt and then ran:

cyclonedx-py --format=json -r -i requirements.txt

syft packages --output=spdx-json=opentelemetry-sdk-syft.json requirements.txt

@ocelotl
Copy link
Contributor Author

ocelotl commented Nov 22, 2023
edited

Here is the SBOM generated by syft in SPDX format:

{
 "spdxVersion": "SPDX-2.3",
 "dataLicense": "CC0-1.0",
 "SPDXID": "SPDXRef-DOCUMENT",
 "name": "requirements.txt",
 "documentNamespace": "https://anchore.com/syft/file/requirements.txt-dcfbadbe-ed1c-43ed-a528-cd15ddecd2e2",
 "creationInfo": {
  "licenseListVersion": "3.22",
  "creators": [
   "Organization: Anchore, Inc",
   "Tool: syft-0.97.1"
  ],
  "created": "2023-11-22T21:01:15Z"
 },
 "packages": [
  {
   "name": "Deprecated",
   "SPDXID": "SPDXRef-Package-python-Deprecated-b9349acfea423cc8",
   "versionInfo": "1.2.14",
   "supplier": "NOASSERTION",
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "sourceInfo": "acquired package info from installed python package manifest file: /requirements.txt",
   "licenseConcluded": "NOASSERTION",
   "licenseDeclared": "NOASSERTION",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-Deprecated:python-Deprecated:1.2.14:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-Deprecated:python_Deprecated:1.2.14:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_Deprecated:python-Deprecated:1.2.14:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_Deprecated:python_Deprecated:1.2.14:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:Deprecated:python-Deprecated:1.2.14:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:Deprecated:python_Deprecated:1.2.14:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-Deprecated:Deprecated:1.2.14:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_Deprecated:Deprecated:1.2.14:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:python-Deprecated:1.2.14:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:python_Deprecated:1.2.14:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:Deprecated:Deprecated:1.2.14:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:Deprecated:1.2.14:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "pkg:pypi/[email protected]"
    }
   ]
  },
  {
   "name": "importlib-metadata",
   "SPDXID": "SPDXRef-Package-python-importlib-metadata-7c9061ffe414a833",
   "versionInfo": "6.8.0",
   "supplier": "NOASSERTION",
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "sourceInfo": "acquired package info from installed python package manifest file: /requirements.txt",
   "licenseConcluded": "NOASSERTION",
   "licenseDeclared": "NOASSERTION",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-importlib-metadata:python-importlib-metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-importlib-metadata:python_importlib_metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_importlib_metadata:python-importlib-metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_importlib_metadata:python_importlib_metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:importlib-metadata:python-importlib-metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:importlib-metadata:python_importlib_metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:importlib_metadata:python-importlib-metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:importlib_metadata:python_importlib_metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-importlib-metadata:importlib-metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-importlib-metadata:importlib_metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_importlib_metadata:importlib-metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_importlib_metadata:importlib_metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-importlib:python-importlib-metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-importlib:python_importlib_metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_importlib:python-importlib-metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_importlib:python_importlib_metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:importlib-metadata:importlib-metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:importlib-metadata:importlib_metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:importlib_metadata:importlib-metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:importlib_metadata:importlib_metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:importlib:python-importlib-metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:importlib:python_importlib_metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-importlib:importlib-metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-importlib:importlib_metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_importlib:importlib-metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_importlib:importlib_metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:python-importlib-metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:python_importlib_metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:importlib:importlib-metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:importlib:importlib_metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:importlib-metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:importlib_metadata:6.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "pkg:pypi/[email protected]"
    }
   ]
  },
  {
   "name": "opentelemetry-api",
   "SPDXID": "SPDXRef-Package-python-opentelemetry-api-8a1a0144584a645d",
   "versionInfo": "1.21.0",
   "supplier": "NOASSERTION",
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "sourceInfo": "acquired package info from installed python package manifest file: /requirements.txt",
   "licenseConcluded": "NOASSERTION",
   "licenseDeclared": "NOASSERTION",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry-api:python-opentelemetry-api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry-api:python_opentelemetry_api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry_api:python-opentelemetry-api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry_api:python_opentelemetry_api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry:python-opentelemetry-api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry:python_opentelemetry_api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry:python-opentelemetry-api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry:python_opentelemetry_api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry-api:python-opentelemetry-api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry-api:python_opentelemetry_api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry_api:python-opentelemetry-api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry_api:python_opentelemetry_api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry-api:opentelemetry-api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry-api:opentelemetry_api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry_api:opentelemetry-api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry_api:opentelemetry_api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry:python-opentelemetry-api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry:python_opentelemetry_api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry:opentelemetry-api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry:opentelemetry_api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry:opentelemetry-api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry:opentelemetry_api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry-api:opentelemetry-api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry-api:opentelemetry_api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry_api:opentelemetry-api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry_api:opentelemetry_api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry:opentelemetry-api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry:opentelemetry_api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:python-opentelemetry-api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:python_opentelemetry_api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:opentelemetry-api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:opentelemetry_api:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "pkg:pypi/[email protected]"
    }
   ]
  },
  {
   "name": "opentelemetry-sdk",
   "SPDXID": "SPDXRef-Package-python-opentelemetry-sdk-df22b2101a1f74ab",
   "versionInfo": "1.21.0",
   "supplier": "NOASSERTION",
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "sourceInfo": "acquired package info from installed python package manifest file: /requirements.txt",
   "licenseConcluded": "NOASSERTION",
   "licenseDeclared": "NOASSERTION",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry-sdk:python-opentelemetry-sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry-sdk:python_opentelemetry_sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry_sdk:python-opentelemetry-sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry_sdk:python_opentelemetry_sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry:python-opentelemetry-sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry:python_opentelemetry_sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry:python-opentelemetry-sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry:python_opentelemetry_sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry-sdk:python-opentelemetry-sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry-sdk:python_opentelemetry_sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry_sdk:python-opentelemetry-sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry_sdk:python_opentelemetry_sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry-sdk:opentelemetry-sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry-sdk:opentelemetry_sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry_sdk:opentelemetry-sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry_sdk:opentelemetry_sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry:python-opentelemetry-sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry:python_opentelemetry_sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry:opentelemetry-sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry:opentelemetry_sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry:opentelemetry-sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry:opentelemetry_sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry-sdk:opentelemetry-sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry-sdk:opentelemetry_sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry_sdk:opentelemetry-sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry_sdk:opentelemetry_sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry:opentelemetry-sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry:opentelemetry_sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:python-opentelemetry-sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:python_opentelemetry_sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:opentelemetry-sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:opentelemetry_sdk:1.21.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "pkg:pypi/[email protected]"
    }
   ]
  },
  {
   "name": "opentelemetry-semantic-conventions",
   "SPDXID": "SPDXRef-Package-python-opentelemetry-semantic-conventions-7e02f34adf49fa5d",
   "versionInfo": "0.42b0",
   "supplier": "NOASSERTION",
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "sourceInfo": "acquired package info from installed python package manifest file: /requirements.txt",
   "licenseConcluded": "NOASSERTION",
   "licenseDeclared": "NOASSERTION",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry-semantic-conventions:python-opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry-semantic-conventions:python_opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry_semantic_conventions:python-opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry_semantic_conventions:python_opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry-semantic-conventions:python-opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry-semantic-conventions:python_opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry_semantic_conventions:python-opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry_semantic_conventions:python_opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry-semantic-conventions:opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry-semantic-conventions:opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry_semantic_conventions:opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry_semantic_conventions:opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry-semantic:python-opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry-semantic:python_opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry_semantic:python-opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry_semantic:python_opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry-semantic-conventions:opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry-semantic-conventions:opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry_semantic_conventions:opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry_semantic_conventions:opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry-semantic:python-opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry-semantic:python_opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry_semantic:python-opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry_semantic:python_opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry-semantic:opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry-semantic:opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry_semantic:opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry_semantic:opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry:python-opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry:python_opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry:python-opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry:python_opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry-semantic:opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry-semantic:opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry_semantic:opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry_semantic:opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry:python-opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry:python_opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry:opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-opentelemetry:opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry:opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_opentelemetry:opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry:opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:opentelemetry:opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:python-opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:python_opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:opentelemetry-semantic-conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:opentelemetry_semantic_conventions:0.42b0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "pkg:pypi/[email protected]"
    }
   ]
  },
  {
   "name": "typing_extensions",
   "SPDXID": "SPDXRef-Package-python-typing-extensions-9976a931403afcc0",
   "versionInfo": "4.8.0",
   "supplier": "NOASSERTION",
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "sourceInfo": "acquired package info from installed python package manifest file: /requirements.txt",
   "licenseConcluded": "NOASSERTION",
   "licenseDeclared": "NOASSERTION",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-typing-extensions:python-typing-extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-typing-extensions:python-typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-typing-extensions:python_typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-typing_extensions:python-typing-extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-typing_extensions:python-typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-typing_extensions:python_typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_typing_extensions:python-typing-extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_typing_extensions:python-typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_typing_extensions:python_typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-typing-extensions:typing-extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-typing-extensions:typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-typing_extensions:typing-extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-typing_extensions:typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_typing_extensions:typing-extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_typing_extensions:typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:typing-extensions:python-typing-extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:typing-extensions:python-typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:typing-extensions:python_typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:typing_extensions:python-typing-extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:typing_extensions:python-typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:typing_extensions:python_typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-typing:python-typing-extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-typing:python-typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-typing:python_typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_typing:python-typing-extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_typing:python-typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_typing:python_typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:typing-extensions:typing-extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:typing-extensions:typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:typing_extensions:typing-extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:typing_extensions:typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-typing:typing-extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-typing:typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:python-typing-extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:python-typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:python_typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_typing:typing-extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_typing:typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:typing:python-typing-extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:typing:python-typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:typing:python_typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:typing-extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:typing:typing-extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:typing:typing_extensions:4.8.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "pkg:pypi/[email protected]"
    }
   ]
  },
  {
   "name": "wrapt",
   "SPDXID": "SPDXRef-Package-python-wrapt-5af9998eaf99d099",
   "versionInfo": "1.16.0",
   "supplier": "NOASSERTION",
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "sourceInfo": "acquired package info from installed python package manifest file: /requirements.txt",
   "licenseConcluded": "NOASSERTION",
   "licenseDeclared": "NOASSERTION",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-wrapt:python-wrapt:1.16.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-wrapt:python_wrapt:1.16.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_wrapt:python-wrapt:1.16.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_wrapt:python_wrapt:1.16.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:python-wrapt:1.16.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:python_wrapt:1.16.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-wrapt:wrapt:1.16.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_wrapt:wrapt:1.16.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:wrapt:python-wrapt:1.16.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:wrapt:python_wrapt:1.16.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:wrapt:1.16.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:wrapt:wrapt:1.16.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "pkg:pypi/[email protected]"
    }
   ]
  },
  {
   "name": "zipp",
   "SPDXID": "SPDXRef-Package-python-zipp-e115bd45a84dd182",
   "versionInfo": "3.17.0",
   "supplier": "NOASSERTION",
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "sourceInfo": "acquired package info from installed python package manifest file: /requirements.txt",
   "licenseConcluded": "NOASSERTION",
   "licenseDeclared": "NOASSERTION",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-zipp:python-zipp:3.17.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-zipp:python_zipp:3.17.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_zipp:python-zipp:3.17.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_zipp:python_zipp:3.17.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:python-zipp:3.17.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:python_zipp:3.17.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python-zipp:zipp:3.17.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python_zipp:zipp:3.17.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:zipp:python-zipp:3.17.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:zipp:python_zipp:3.17.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:python:zipp:3.17.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "SECURITY",
     "referenceType": "cpe23Type",
     "referenceLocator": "cpe:2.3:a:zipp:zipp:3.17.0:*:*:*:*:*:*:*"
    },
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "pkg:pypi/[email protected]"
    }
   ]
  },
  {
   "name": "requirements.txt",
   "SPDXID": "SPDXRef-DocumentRoot-File-requirements.txt",
   "versionInfo": "sha256:e2e7cc2e58dc0e8df2092ae5d18411b785473ab066d5ea65b28a30820515c45a",
   "supplier": "NOASSERTION",
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "checksums": [
    {
     "algorithm": "SHA256",
     "checksumValue": "e2e7cc2e58dc0e8df2092ae5d18411b785473ab066d5ea65b28a30820515c45a"
    }
   ],
   "primaryPackagePurpose": "FILE"
  }
 ],
 "files": [
  {
   "fileName": "/requirements.txt",
   "SPDXID": "SPDXRef-File-requirements.txt-26ca2b7dc025d550",
   "checksums": [
    {
     "algorithm": "SHA1",
     "checksumValue": "0000000000000000000000000000000000000000"
    }
   ],
   "licenseConcluded": "NOASSERTION",
   "copyrightText": ""
  }
 ],
 "relationships": [
  {
   "spdxElementId": "SPDXRef-Package-python-wrapt-5af9998eaf99d099",
   "relatedSpdxElement": "SPDXRef-File-requirements.txt-26ca2b7dc025d550",
   "relationshipType": "OTHER",
   "comment": "evident-by: indicates the package's existence is evident by the given file"
  },
  {
   "spdxElementId": "SPDXRef-Package-python-importlib-metadata-7c9061ffe414a833",
   "relatedSpdxElement": "SPDXRef-File-requirements.txt-26ca2b7dc025d550",
   "relationshipType": "OTHER",
   "comment": "evident-by: indicates the package's existence is evident by the given file"
  },
  {
   "spdxElementId": "SPDXRef-Package-python-opentelemetry-semantic-conventions-7e02f34adf49fa5d",
   "relatedSpdxElement": "SPDXRef-File-requirements.txt-26ca2b7dc025d550",
   "relationshipType": "OTHER",
   "comment": "evident-by: indicates the package's existence is evident by the given file"
  },
  {
   "spdxElementId": "SPDXRef-Package-python-opentelemetry-api-8a1a0144584a645d",
   "relatedSpdxElement": "SPDXRef-File-requirements.txt-26ca2b7dc025d550",
   "relationshipType": "OTHER",
   "comment": "evident-by: indicates the package's existence is evident by the given file"
  },
  {
   "spdxElementId": "SPDXRef-Package-python-typing-extensions-9976a931403afcc0",
   "relatedSpdxElement": "SPDXRef-File-requirements.txt-26ca2b7dc025d550",
   "relationshipType": "OTHER",
   "comment": "evident-by: indicates the package's existence is evident by the given file"
  },
  {
   "spdxElementId": "SPDXRef-Package-python-Deprecated-b9349acfea423cc8",
   "relatedSpdxElement": "SPDXRef-File-requirements.txt-26ca2b7dc025d550",
   "relationshipType": "OTHER",
   "comment": "evident-by: indicates the package's existence is evident by the given file"
  },
  {
   "spdxElementId": "SPDXRef-Package-python-opentelemetry-sdk-df22b2101a1f74ab",
   "relatedSpdxElement": "SPDXRef-File-requirements.txt-26ca2b7dc025d550",
   "relationshipType": "OTHER",
   "comment": "evident-by: indicates the package's existence is evident by the given file"
  },
  {
   "spdxElementId": "SPDXRef-Package-python-zipp-e115bd45a84dd182",
   "relatedSpdxElement": "SPDXRef-File-requirements.txt-26ca2b7dc025d550",
   "relationshipType": "OTHER",
   "comment": "evident-by: indicates the package's existence is evident by the given file"
  },
  {
   "spdxElementId": "SPDXRef-DocumentRoot-File-requirements.txt",
   "relatedSpdxElement": "SPDXRef-Package-python-Deprecated-b9349acfea423cc8",
   "relationshipType": "CONTAINS"
  },
  {
   "spdxElementId": "SPDXRef-DocumentRoot-File-requirements.txt",
   "relatedSpdxElement": "SPDXRef-Package-python-importlib-metadata-7c9061ffe414a833",
   "relationshipType": "CONTAINS"
  },
  {
   "spdxElementId": "SPDXRef-DocumentRoot-File-requirements.txt",
   "relatedSpdxElement": "SPDXRef-Package-python-opentelemetry-api-8a1a0144584a645d",
   "relationshipType": "CONTAINS"
  },
  {
   "spdxElementId": "SPDXRef-DocumentRoot-File-requirements.txt",
   "relatedSpdxElement": "SPDXRef-Package-python-opentelemetry-sdk-df22b2101a1f74ab",
   "relationshipType": "CONTAINS"
  },
  {
   "spdxElementId": "SPDXRef-DocumentRoot-File-requirements.txt",
   "relatedSpdxElement": "SPDXRef-Package-python-opentelemetry-semantic-conventions-7e02f34adf49fa5d",
   "relationshipType": "CONTAINS"
  },
  {
   "spdxElementId": "SPDXRef-DocumentRoot-File-requirements.txt",
   "relatedSpdxElement": "SPDXRef-Package-python-typing-extensions-9976a931403afcc0",
   "relationshipType": "CONTAINS"
  },
  {
   "spdxElementId": "SPDXRef-DocumentRoot-File-requirements.txt",
   "relatedSpdxElement": "SPDXRef-Package-python-wrapt-5af9998eaf99d099",
   "relationshipType": "CONTAINS"
  },
  {
   "spdxElementId": "SPDXRef-DocumentRoot-File-requirements.txt",
   "relatedSpdxElement": "SPDXRef-Package-python-zipp-e115bd45a84dd182",
   "relationshipType": "CONTAINS"
  },
  {
   "spdxElementId": "SPDXRef-DOCUMENT",
   "relatedSpdxElement": "SPDXRef-DocumentRoot-File-requirements.txt",
   "relationshipType": "DESCRIBES"
  }
 ]
}

@ocelotl
Copy link
Contributor Author

ocelotl commented Nov 22, 2023

Here is the SBOM generated by cyclonedx-py in CyloneDX format:

{
    "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
    "bomFormat": "CycloneDX",
    "specVersion": "1.4",
    "serialNumber": "urn:uuid:831d3437-c3aa-460b-a67c-ac55bba11480",
    "version": 1,
    "metadata": {
        "timestamp": "2023-11-22T20:54:32.344373+00:00",
        "tools": [
            {
                "vendor": "CycloneDX",
                "name": "cyclonedx-bom",
                "version": "3.11.7"
            },
            {
                "vendor": "CycloneDX",
                "name": "cyclonedx-python-lib",
                "version": "3.1.5",
                "externalReferences": [
                    {
                        "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions",
                        "type": "build-system"
                    },
                    {
                        "url": "https://pypi.org/project/cyclonedx-python-lib/",
                        "type": "distribution"
                    },
                    {
                        "url": "https://cyclonedx.github.io/cyclonedx-python-lib/",
                        "type": "documentation"
                    },
                    {
                        "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues",
                        "type": "issue-tracker"
                    },
                    {
                        "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE",
                        "type": "license"
                    },
                    {
                        "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md",
                        "type": "release-notes"
                    },
                    {
                        "url": "https://github.com/CycloneDX/cyclonedx-python-lib",
                        "type": "vcs"
                    },
                    {
                        "url": "https://cyclonedx.org",
                        "type": "website"
                    }
                ]
            }
        ]
    },
    "components": [
        {
            "type": "library",
            "bom-ref": "bb28016f-abf2-4f97-8d7b-af856e89c3c4",
            "name": "Deprecated",
            "version": "1.2.14",
            "purl": "pkg:pypi/[email protected]"
        },
        {
            "type": "library",
            "bom-ref": "938920c8-cb46-4645-a0a7-9a8753f37d36",
            "name": "importlib-metadata",
            "version": "6.8.0",
            "purl": "pkg:pypi/[email protected]"
        },
        {
            "type": "library",
            "bom-ref": "62690dfb-9008-42af-b2b6-c4991f86e7ec",
            "name": "opentelemetry-api",
            "version": "1.21.0",
            "purl": "pkg:pypi/[email protected]"
        },
        {
            "type": "library",
            "bom-ref": "99d46d34-f490-454d-9078-d96aea854831",
            "name": "opentelemetry-sdk",
            "version": "1.21.0",
            "purl": "pkg:pypi/[email protected]"
        },
        {
            "type": "library",
            "bom-ref": "82a89dcd-5c1d-4da2-a740-c8998f006af2",
            "name": "opentelemetry-semantic-conventions",
            "version": "0.42b0",
            "purl": "pkg:pypi/[email protected]"
        },
        {
            "type": "library",
            "bom-ref": "a60afba2-52fc-43ac-ba68-82b39f0552ac",
            "name": "typing_extensions",
            "version": "4.8.0",
            "purl": "pkg:pypi/[email protected]"
        },
        {
            "type": "library",
            "bom-ref": "5755c15d-c3c4-4391-b027-06a09c8622a6",
            "name": "wrapt",
            "version": "1.16.0",
            "purl": "pkg:pypi/[email protected]"
        },
        {
            "type": "library",
            "bom-ref": "24f3ceeb-3631-4170-85db-55e3ecca8097",
            "name": "zipp",
            "version": "3.17.0",
            "purl": "pkg:pypi/[email protected]"
        }
    ],
    "dependencies": [
        {
            "ref": "bb28016f-abf2-4f97-8d7b-af856e89c3c4",
            "dependsOn": []
        },
        {
            "ref": "938920c8-cb46-4645-a0a7-9a8753f37d36",
            "dependsOn": []
        },
        {
            "ref": "62690dfb-9008-42af-b2b6-c4991f86e7ec",
            "dependsOn": []
        },
        {
            "ref": "99d46d34-f490-454d-9078-d96aea854831",
            "dependsOn": []
        },
        {
            "ref": "82a89dcd-5c1d-4da2-a740-c8998f006af2",
            "dependsOn": []
        },
        {
            "ref": "a60afba2-52fc-43ac-ba68-82b39f0552ac",
            "dependsOn": []
        },
        {
            "ref": "5755c15d-c3c4-4391-b027-06a09c8622a6",
            "dependsOn": []
        },
        {
            "ref": "24f3ceeb-3631-4170-85db-55e3ecca8097",
            "dependsOn": []
        }
    ]
}

@ocelotl ocelotl mentioned this issue Nov 22, 2023
Open
@ocelotl ocelotl linked a pull request Mar 21, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ocelotl ocelotl

Labels
feature-request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Generate SBOM during build/release process ocelotl/opentelemetry-python
1 participant
@ocelotl