Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
SBOM/RMetadata support for pypi feed type
-
We are investigating the use of SBOM with our proget instance, and we have many projects that use python. Upon successfully uploading an SBOM associated with a project/build, we do get all the packages listed, with vulnerability information populated, hyperlinks for vulnerability information work as expected. However, license information is missing and the package hyperlink appears to be broken (resolves to an error page on our proget instance). I have confirmed the packages exists within feeds, I have also tried different packages and a small reproducible, both have the same issue.
- syft (version v1.36.0) generated (aiofiles version 25.1.0): /packages/from-purl?pUrl=pkg%3Apypi%2Faiofiles%4025.1.0
- pgutil (version v2.2.9) generated (tzdata version 2025.1): /packages/from-purl?pUrl=pkg%3Apypi%2Ftzdata%402025.1
I presume the hyperlink/pURL not working is the cause for the license information not being populated?
Running the analyze command on a build version produces the following output,
No Remote Metadata Provider was found for "pkg:pypi/aiofile@3.11.1" Analyzing compliance for aiofile 3.11.1... Beginning license rule analysis... Default rules: undectableLicense=Warn, unspecifiedLicense=Compliant The package is not cached or local to any feed; without package metadata, license detection is limited. No licenses detected on package; applying undectableLicense rule (Warn) License rule analysis complete. Policy "Global" considers aged packages (3 years) Warn The package is not cached or local to any feed; cannot determine Publish Date. Policy "Global" considers recently published (7 days) Compliant The package is not cached or local to any feed; cannot determine Publish Date. Analysis resulted in a Warn result. aiofile 3.11.1 is Warn Publish Date (Recent, Aged) is unknown; No license detected Creating issues for build... 0 issues found.We also tried manually including the license information in the SBOM and uploading it, this also didn't appear to fix the license field being "unknown".
We also tried enable the OSS metadata updating & caching for pypi.org, the error message did change, but still results in a message stating that pypi has no support for remote metadata.
Relevant versions:
- SBOM format was CycloneDX version 1.6
- proget version 2025.26 (Build 11)