Shelling out external network call dependency

[ba11b0y]

Right now, the parsers try to make external network calls for fetching package data.

nuget

https://github.com/opensbom-generator/parsers/blob/main/nuget/helpers.go#L14

Used to fetch:

• nuget spec
• checksum

pip

https://github.com/opensbom-generator/parsers/blob/main/pip/worker/pypi.go#L85

Used to fetch:

• author details
  • There's no need to make an external network call here since this information is available with pip's metadata.
• checksum
• download url

Bonus:

For all dependency managers, pip offers a command pip inspect to get metadata
for the current environment which contains package metadata, platform information(this can be used for #25) and a lot more.

[ba11b0y]

For pip, I couldn't find checksum/download url information locally :/
cc: @nishakm @puerco

[nishakm]

@ba11b0y pip doesn't natively list projects with hashes. I've used pip-tools to get that info: pip-compile --generate-hashes.

[ba11b0y]

But don't we want to extract information from what we already have? Using pip-tools means that the project owners will need to have pip-tools installed.