Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enumerate pip's vendored dependencies in SBOM #114250

Closed
sethmlarson opened this issue Jan 18, 2024 · 0 comments · Fixed by #114450
Closed

Enumerate pip's vendored dependencies in SBOM #114250

sethmlarson opened this issue Jan 18, 2024 · 0 comments · Fixed by #114450
Assignees
@sethmlarson
Labels
type-bug An unexpected behavior, bug, or error

Comments

@sethmlarson
Copy link
Contributor

sethmlarson commented Jan 18, 2024
edited by bedevere-app bot
Loading

Bug report

Bug description:

Part of #112302

Currently pip's package entry in the SBOM is quite simple, including only itself but not all the vendored projects and their licenses/IDs. See comment from @hroncok on DPO on why this is problematic: https://discuss.python.org/t/create-and-distribute-software-bill-of-materials-sbom-for-python-artifacts/39293/24

My proposed changes to generate_sbom.py is the following:

  • Find the entry pip/_vendor/vendor.txt in the pip wheel archive.
  • Read the content, parse the requirements into names and versions.
  • Ensure all entries are represented as packages in the SBOM with a pip DEPENDS_ON <package> relationship.

This approach lets the license identifiers be specified in the SBOM like other packages but then would raise an error if pip is upgraded with a difference in vendored dependencies or versions allowing the reviewer to acknowledge any changes.

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Linked PRs
@sethmlarson sethmlarson added the type-bug An unexpected behavior, bug, or error label Jan 18, 2024
@sethmlarson sethmlarson mentioned this issue Jan 18, 2024
Closed
@sethmlarson sethmlarson self-assigned this Jan 18, 2024
@sethmlarson sethmlarson mentioned this issue Jan 22, 2024
Merged
hugovk pushed a commit that referenced this issue Jan 26, 2024
@sethmlarson
gh-114250: Fetch metadata for pip and its vendored dependencies from …
582d95e 
…PyPI (#114450)
aisk pushed a commit to aisk/cpython that referenced this issue Feb 11, 2024
@sethmlarson @aisk
pythongh-114250: Fetch metadata for pip and its vendored dependencies…
0281256 
… from PyPI (python#114450)
Glyphack pushed a commit to Glyphack/cpython that referenced this issue Sep 2, 2024
@sethmlarson @Glyphack
pythongh-114250: Fetch metadata for pip and its vendored dependencies…
7105f4b 
… from PyPI (python#114450)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sethmlarson sethmlarson

Labels
type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

gh-114250: Fetch metadata for pip and its vendored dependencies from PyPI sethmlarson/cpython
1 participant
@sethmlarson