feat: support PDM ecosystem

[rios0rios0]

Description

Here we'd like to add PDM support for generating the BOM file.

Requirements

• We have read the Contribution Guidelines

TODO:

• Describing the problem you try to solve?
• What is the motivation? What is the expected outcome?
• What are acceptance criteria?
• What are edge cases?
• How to test?

[rios0rios0]

@k4yt3x @fnk0c

[jkowalleck]

Why not bring the wish/need/topic for CycloneDX SBOM to the @pdm-project team themselves, so they could implement it as a CLI tool feature and maintain it as needed.
Nowadays, package managers know that SBOM is a thing, they are waiting for a community request, to justify the effort of implementation ;-)
We, the CycloneDX team, had already good experience with this approach: community members did the first request to the ecosystems, and then we successfully supported the package manager developers and ecosystem maintainers on their way of getting CycloneDX SBOM as a first party feature.
(see npm and conan2)

If the @pdm-project people don't see a need for this topic or don't want to provide the feature themselves, then sure come back, so we can discuss a possible solution implemented in clonedx-python/cyclonedx-bom.

This being said, @rios0rios0 , please keep us updated if you get in contact with @pdm-project

PS: the CycloneDX community is proud of their own solutions and implementations to get ecosystems enabled to do proper supply chain assessment, and we will continue doing so. We also love to see ecosystems adopting the topic. 🚀

[jkowalleck]

@pdm-project (@frostming)

do you have insights how to approach the idea of CycloneDX SBOM being an official PDM CLI feature?

[jkowalleck]

even though support for PDM manifest and lockfile will not be implemented soon,
there is some kind of support in the upcoming v4 -- read #605 for changelog, install instructions and more.

Since PDM utilizes python virtual environments under the hood, it is possible to use the functionality for Python environments as described in the docs for v4-RC.

$ cyclonedx-py environment "$(pdm info --python)"

[k4yt3x]

Problem Statement & Motivation

The increase in PDM's use as a Python package manager necessitates its support in cyclonedx-python. This PR aims to enable cyclonedx-python to generate SBOM information for Python projects using PDM, a feature currently missing.

Expected Outcome

The objective of this PR is to integrate PDM support into cyclonedx-python. Once accomplished, cyclonedx-python should be able to generate SBOMs for Python projects that use PDM, similar to its existing functionality for other package managers like Poetry.

Acceptance Criteria

The primary acceptance criterion is cyclonedx-python's capability to generate accurate SBOMs for Python projects that deploy PDM as their package manager.

Edge Cases

Consideration should be given to potential edge cases including, but not limited to:

1. Projects using different versions of PDM.
2. Projects utilizing PDM along with other package managers.
3. Projects that include packages with complex dependencies.

These situations should be examined and tested to ensure comprehensive PDM support in cyclonedx-python.

How to Test

To confirm the new functionality, tests mirroring those for Poetry will be developed. A new file, tests/test_parser_pdm.py, will be created to test the PDM parser specifically. These tests should encompass standard usage scenarios as well as the previously mentioned edge cases.

[k4yt3x]

The new environment works great with our PDM use cases, so as far as we are considered this feature is completed and usable. If anything, we can reopen or create a new ticket.

[jkowalleck]

If anything, we can reopen or create a new ticket.

totally. a dedicated PDM lock file analysis might come in handy for SBOM creation without running the actual setup.