An SBOM generator for AI models and Python projects
Pitloom tracks the source of each metadata field in the SBOM using the SPDX 3
comment attribute. This enables answering questions like:
“Why does the SBOM say the concluded license is MIT?”
“Where did the version number come from?”
For a package with metadata extracted from various sources:
{
"type": "software_Package",
"name": "mypackage",
"software_packageVersion": "1.2.3",
"comment": "Metadata provenance: name: Source: pyproject.toml | Field: project.name; version: Source: src/mypackage/__about__.py | Method: dynamic_extraction; dependencies: Source: pyproject.toml | Field: project.dependencies"
}
The provenance information shows:
pyproject.toml -> project.namesrc/mypackage/__about__.pypyproject.toml -> project.dependenciesThis transparency is crucial for: