Ignore the dependencies with latest version when they are generated with virtual environments. in python

[MohammedAziz02]

Hi, I runned cdxgen for a python project, using cdxgen -t python -o output.json --spec-version 1.4 --project-version 1.0.1, firstly what i noticed is that when i add the argument --project-version 1.0.1, the purl of the root component, become like 'pkg:application/[email protected]' which cause some problems of parsing when using others tool to parse this sbom to an object in java for example, it will be better if we modify that line of code line 260 in index.js to Pypi instead of application, also when using python virtual environment, i have also a problem, because i have the version of the root dependency as latest, which causes a problem in parsing, also it would be better if we add a condition to verify that the version is an expression of 3 numbers using regex, to avoid adding theses dependencies to the sbom, in that line line 8938 in utils.js

[MohammedAziz02]

@prabhu please it's urgent, can you please confirm if that logic seems correct or not?

[prabhu]

@MohammedAziz02 do you have any sample repo? metadata.component.type has to be a value from this enum. Have you tried generating an SBOM from within a virtualenv and with the option --lifecycle pre-build?

[MohammedAziz02]

@prabhu i tried to run the command on this repo : "dbt-oracle", in that line of the code line 260 in index.js the type is indeed Application, i'm talking about the purl, it should have pypi instead of application ( the generated parent purl in that case is "pkg:application/dbt-oracle@latest" only on the case we specify the --project-version as an argument), it should be modified as all the others. because all the others components have pypi as a type, and i think it's the right case.

[prabhu]

Doesn't sound like an easy fix, since that particular method is used everywhere. Could you find a way to improve the function parsePyProjectToml to make it return the version correctly for this project? We may need a separate function to parse setup.py too.

cdxgen/index.js

Line 2521 in 17b83f9

const tmpParentComponent = parsePyProjectToml(pyProjectFile);