enhance requirements file parser or switch to another one

[jkowalleck]

there are multiple discussions for alternative or missing features of the requirements file parser.

• Support multiple requirement files according to envionments #273
• feat: parse requirements.txt with private pypi repository #318
• feat: parse requirements.txt with locally referenced packages #315
• feat: parse requirements.txt with locally referenced packages #284
• Crashes on requirements.txt with hashes #194 & FEATURE: Support for requirements.txt files with hashes cyclonedx-python-lib#8

---

the story so far: the original requirements parser had the scope to understand the output of pip freeze.
but the people want more :-)

• support for -r to chain multiple files
• support for custom package registries and repositories
• support for packages by relative path
• support for package hashes

there are suggestions to switch to an alternative requirements file parser at some point, as it supports some of the mentioned features.

---

lets discuss the topic here!

[llamahunter]

The docs for cyclonedx-bom says that it can read a "requirements.txt" file. If that's not the case, probably should be made clear.

But, disallowing private pypi repos seems pretty limiting.

[mostafa]

@llamahunter That's what I am trying to fix. For now, I'll focus on #315 and #284, but will eventually address all the issues.

[llamahunter]

See also #318. Don't care so much about local packages, but private repositories are critical for us since we have private libraries that we don't want to publish publicly just to use with cyclone-dx.

[jkowalleck]

fixed in v4