Developer Guide

Python virtual environment

The minimum supported version of Python is 3.10, as stated in the user guide.

We suggest creating a Python virtual environment to install the dependencies for development.

  • To create a Python virtual environment:

$ python3 -m venv .venv

  • Once it is created, you can activate it:

$ source .venv/bin/activate

  • pip version 25.1 or later is required to install development tool dependencies, if needed, update it:

(.venv) $ pip install --upgrade pip

Documentation generation

The documentation sources are in docs. To build them using Sphinx, run the following commands:

  • First create a Python virtual environment and update pip.

  • Install the dependencies to generate this documentation in your Python virtual env:

(.venv) $ cd sbom-cve-check
(.venv) $ pip install --group docs

  • You can now build the docs in HTML, from the docs directory:

(.venv) $ cd sbom-cve-check/docs
(.venv) $ make html

  • The generated documentation will be available under docs/_build/html/index.html.

The command below, executed from the docs directory, could be used to watch for any file changes under the docs directory and rebuild the documentation automatically:

while sleep 1 ; do make clean; find -name '*.md' | entr -d make html ; done

Tool installation for development

For normal use of the tool, it should be installed as described in the user guide.

As an alternative, only the dependencies could be installed, and we could use the src/sbom-cve-check.py executable. But for development purposes, it is instead highly recommended to “install” the tool using the --editable flag:

(.venv) $ pip install -e .

For development purposes, to “install” it with all optional dependencies, run:

(.venv) $ pip install -e .[extra]

Linter and static analysis

First create a Python virtual environment, if not already done, and update pip.

Then, to install the tools, run:

(.venv) $ pip install --group lint

It may be necessary to install the various dependencies, for example using:

(.venv) $ pip install -e .[extra]
(.venv) $ pip install --group test

Ruff

This project uses the Ruff linter.

mypy

This project uses mypy for static type checking.

Tests

First create a Python virtual environment, if not already done, and update pip.

Then, install the tool with all optional dependencies if this is not already the case. For example run:

(.venv) $ pip install -e .[extra]

Then, to install the test tools, run:

(.venv) $ pip install --group test

To execute the test, run the following command from the tests directory:

pytest -v .

To execute the test with the coverage, run the following command from the tests directory:

pytest -v --run-slow --cov=sbom_cve_check --cov-config=../pyproject.toml .

Then, to generate the HTML report, execute:

coverage html

For test troubleshooting, is it possible to define the SBOM_CVE_CHECK_TEST_KEEP_TMP environment variable to 1. The temporary directories generated during the tests will not be deleted. Note: to use this environment variable, at least Python 3.12 is required.

Roadmap & planned developments

The following features are intended to be developed in the medium term:

  • Add support of Ubuntu CVE tracker repository

    • Automatically detect if a patch was backported

  • Add CycloneDX (CDX) SBOM support as input.

  • Add more export formats, like, for example, OpenVEX.

The following features are intended to be developed in the very long term:

  • Allow to generate an SBOM (CDX or SPDX 3.0) as output even if the SBOM specified as input is in another format.