I recently noticed a case where an SBOM that included twisted as a dependency was not listed as a dependency. After careful review, I found that twisted was installed as twisted[tls] and, as a consequence, additional sub-dependencies are installed. I unsuccessfully tried generating an sbom for twisted[tls]. As a workaround, I had to generate SBOMs for the additional sub-dependencies and merge them. It would be great if these can be added automatically by sbom4python given the correct command line input.

@ogbautista Thanks for raising this. I don't anything special for optional dependencies so I need to look at how optional dependencies are handled within the ecosystem.

@ogbautista I have now looked at how optional dependencies are handled.

In separate python virtual machines, I pip installed twisted and twisted[tls]. Whilst the optional dependencies are installed, they are not referenced in the metadata associated with twisted module and associated packages, and are therefore not included in the SBOM. I will look into offering a new option to create an SBOM for all of the installed python modules (within a virtual machine) instead of just a single module.

That will be awesome!