Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: export lockfile in SPDX format #2102

Open
jwarwick-delfi opened this issue Mar 23, 2023 · 4 comments
Open

Feature request: export lockfile in SPDX format #2102

jwarwick-delfi opened this issue Mar 23, 2023 · 4 comments

Comments

@jwarwick-delfi
Copy link

As a consumer of Pex lockfiles via the pants build tool, I would like to export a lockfile in an open format that I can use to generate a software bill of materials (SBOM). SPDX seems to be the widely-used open standard for these files.

SPDX can be expressed in a variety of formats, personally I would prefer text, JSON, or YAML.

@jsirois
Copy link
Member

jsirois commented Mar 23, 2023

Since Pex vendors a very limited set of 3rd party libraries it uses, sticking to the stdlib is best; so text or JSON are preferred from the Pex point of view.

@jsirois
Copy link
Member

jsirois commented Mar 23, 2023

Hrm. A quick read of the spec seems to suggest each file must have 1 sha1 checksum and then 0 or more other checksums: https://spdx.github.io/spdx-spec/v2.3/file-information/#84-file-checksum-field

A lockfile only contains sha256 checksums and so generating a valid SPDX will require downloading every artifact in a lockfile and re-fingerprinting it down to sha1. This is not awesome.

@jsirois
Copy link
Member

jsirois commented Mar 23, 2023

Ok, the code that implements pex3 lock export ... is here:
https://github.com/pantsbuild/pex/blob/fd9a07f3cc4e8a3f64eb2c9850f7936c67453315/pex/cli/commands/lock.py#L493-L516

That currently exports for just 1 distribution target, where a distribution target in Pex-speak is a particular local Python interpreter or else a foreign platform's interpreter. If your SBOM will be attached to a single platform in this way (say 1 SBOM per each of Python 3.7, 3.8 and 3.9 and per Linux and Mac for a total of 6 SBOMs), then all is well, you just run export six times configuring a different target for each run. If your SBOMs are intended to be singular and need to incorporate data for all distribution targets, a new sub-command is probably warranted pex3 lock sbom .... Either way, the key data structure is contained in lock_file on line 500. That is a XXX and is defined here:
https://github.com/pantsbuild/pex/blob/32a0789ee4d431f0d84b3f1e924bb91b78cde1cd/pex/resolve/lockfile/model.py#L29-L51

@jsirois
Copy link
Member

jsirois commented Mar 23, 2023

If, instead of exporting an entire lockfile as an SBOM, individual built-PEX files could export (or even include) an SBOM, things become alot simpler since the actual used software is all present along with licenses and other metadata. Re-hashing becomes ecosystem-friendly, etc.

There is already a suite of tools that can either be included in a PEX file by using --include-tools when building the PEX or else by using the pex-tools console script installed alongside pex.

These live here: https://github.com/pantsbuild/pex/tree/main/pex/tools/commands
The repository, graph and venv commands all do portions of the work that will be needed here - in particular they resolve the PEX's distributions.

Perhaps best is to start looking at graph which generates a graphviz svg graph of a PEX's internal software which is part way to an SBOM.

The run main entrypoint of the tool is here:
https://github.com/pantsbuild/pex/blob/e0efca098404a6093f514839103ea7843920e4fa/pex/tools/commands/graph.py#L154-L156

The PEX resolve is done here:
https://github.com/pantsbuild/pex/blob/e0efca098404a6093f514839103ea7843920e4fa/pex/tools/commands/graph.py#L33-L49

And the resolved things are Distributions defined here:
https://github.com/pantsbuild/pex/blob/e0efca098404a6093f514839103ea7843920e4fa/pex/dist_metadata.py#L549-L550

@jsirois jsirois removed the resolver label Mar 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants