Generate and attach SBOMs for pypi manifests #59
Description
Issue and related discussion copied from internal git instance
Now it might be possible to find CVE's in python modules. Does such a third party tool exist to do this? I suspect one way to do this manually create the SBOM when the python packages are collected. Cooking that JSON document should not be too hard. Then you can retrieve it and run it through grype. Technically grype does not depend on an image. it only consumes a SBOM in the way we use it. It is syft that depends on an image so that is the only component we need to replace. I would say this is doable and in scope.
Obviously we would attached the SBOM to the Pypi manifest.
We literally have the list of python packages and their versions. So the SBOM is basically there just in the wrong form and in the wrong place.