Feat: option to use an alternative python environment

[jkowalleck]

Caused by #435 (comment)

---

Problem

Current implementation of the EnvironmentParser does analysis on the python environment of the runtime of this very tool.
There is no option to analyze a different python environment.

Example use case A:

It is a common use cases to globally install tools via pipenv, which creates a python environment dedicated to the tool. In such case, the cyclonedx-py -e would see the env of pipx, which might not be the desired one.

Solution

• CLI
  • has a new option --env
    • accepts a path-like string
    • must occur only once
    • defaults to None
    • example values
      • ~/projects/foo/.venv/
      • ~/.local/share/virtualenvs/bar-SmGtsZ09
• Implementation
  • CycloneDxCmd
    • whatever is needed. to be discussed
  • EnvironmentParser
    • whatever is needed. to be discussed
• Docs (README.md and ./docs/**)
  • describe global installation via pipx
  • describe usage when installed via pipx
• Tests
  • ship an independent/complete venv or something, and checks for correct detection of expected findings and no additional findings.

[Kwintenvdb]

Hi - was wondering if this feature is anywhere on the roadmap. We are trying to use this tool to generate an SBOM for our Python environment (since using the environment-based approach is the only way to include license information in the SBOM), and this issue is a bit of a blocker for us, since we do not want to include this tool and its dependencies in the SBOM we publish.

[jkowalleck]

It is labeled "help wanted" - meaning: it is not a core feature on the current roadmap, and we are open for pull requests and discussions.
Feel free to contribute this feature, if this is a blocker for you. ;-)

[jkowalleck]

shall be implemented via #627

[jkowalleck]

fixed by #605

[jkowalleck]

This feature will be part of the next/upcoming major release.
Changelog: see #605
Install via: pip install cyclonedx-bom==4.0.0rc1