Merge pull request #245 from CycloneDX/feat/add-basic-license-support

Add license information in CycloneDX BOM when using Environment as the source
CycloneDX · Oct 19, 2021 · 26f2500 · 26f2500
2 parents 1e46b3d + 5d1f9a7
commit 26f2500
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -14,7 +14,7 @@
 
 This project provides a runnable Python-based application for generating CycloneDX bill-of-material documents from either:
 1. Your current Python Environment
-2. Your project's manifest (e.g. `requirements.txt`)
+2. Your project's manifest (e.g. `Pipfile.lock`, `poetry.lock` or `requirements.txt`)
 
 The BOM will contain an aggregate of all your current project's dependencies, or those defined by the manifest you supply.
 
@@ -96,6 +96,9 @@ SBOM Output Configuration:
 This will produce the most accurate and complete CycloneDX BOM as it will include all transitive dependencies required
 by the packages defined in your project's manifest (think `requriements.txt`).
 
+When using _Environment_ as the source, any license information avaialble from the installed packages will also be 
+included in the generated CycloneDX BOM.
+
 Simply run:
 
 ```
@@ -108,6 +111,9 @@ in XML using the latest schema version `1.3` by default.
 
 ### Building CycloneDX from your Manifest
 
+_Note: Manifest scanning limits the amount of information available. Each manifest type contains different information
+but all are significantly less complete than scanning your actual Python Environment._
+
 #### Poetry
 
 We support parsing your `poetry.lock` file which should be committed along with your `pyrpoject.toml` and details

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -16,7 +16,7 @@ include = [
 
 [tool.poetry.dependencies]
 python = "^3.6"
-cyclonedx-python-lib = "^0.8.1"
+cyclonedx-python-lib = "^0.9.0"
 
 [tool.poetry.dev-dependencies]
 tox = "^3.24.3"