I'm maintaining a Python library and considering whether I should generate a Software Bill of Materials (SBOM) for it. However, my pyproject.toml defines dependencies using bounded version ranges (e.g., >=1.0, <=2.0), meaning that the exact versions used can vary depending on the environment.
My main questions are:
Is it necessary to generate an SBOM for a library when dependencies are defined with version ranges instead of exact versions?
How should I generate the SBOM? Should it be generated without resolving exact versions (only listing direct dependencies as specified in pyproject.toml)? Or should it include resolved exact versions along with transitive dependencies?
This is currently an open topic, see here https://github.com/CycloneDX/specification/issues/321 and here https://github.com/CycloneDX/specification/pull/586 .
So, short answer is to skip those for now (since there is no good mechanism to get this right) and mention this as a limitation in the documentation, but keep an eye on the above issues and revisit this once CycloneDX 1.7 spec is in.