Hi, with the upcoming EU cyber-resilience act it seems like it will be mandatory to provide SBOMs for every digital product. Is this something that is on the pants roadmap?

I don't think so. There was this conversation a while back, but an issue discovered there was no real standard: https://pantsbuild.slack.com/archives/C046T6T9U/p1679607949122349?thread_ts=1679607949.122349&cid=C046T6T9U Do you know if the EU has defined an SBOM standard yet?

In TR-03183 (did not find the english version) it is written that accepted versions are SPDX and CycloneDX.

Ok, assuming Germany is representative of all the EU there, those were both formats discussed in the thread above.

The document is written in a way that lets me assume that the document should also exist in english/ other EU languages.

Ok. Well https://github.com/pantsbuild/pex/issues/2102 is an appropriate tracking issue for the Python side. Presumably @few-arm-93065 moved on and implemented something else on his own. It would be best though that the Pants community pick one of those standards and from a broader plan if it wants to attack this (it may not) as a whole.

Yes, I would assume that all developers will have to generate the SBOMs at some point, if the act is implemented. I guess the best case would be a pants solution, worst case the usage of some

adhoc_tool

targets to generate the SBOMs with different external tools for every language used in the repository.