-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide ability to emit SPDX SBOM formats #251
Comments
Thanks for the request, @lumjjb! When we started designing |
Awesome! Sounds good :D. @swinslow would you be able to recommend some python libraries to look at? |
I did a little bit more searching, and couldn't find a good Python library for SPDX SBOM generation (but I might have completely missed it!) Still open to suggestions here. Otherwise, when we prioritize this, we may have to hand-roll the format. |
Let me ask around and do some searching too! I'll get back to you! |
quick question - did you manage to take a look at https://github.com/spdx/tools-python/, what are some interfaces/structures that you think are needed to make it more useful to consume the library? (Asking this also because I'm working on the golang library :)) |
I think I saw that repository, but might have mentally categorized it as a CLI tool rather than a Python API. But it looks like it does have a Python API, so I'll take another look, thanks! |
I might be able to answer this on my own, but in case you know it immediately: where are the right models for generating a "vulnerability profile" for each dependency listed in the SBOM? I see it was standardized here: spdx/spdx-spec#510, and I think that's what we'll need in the context of |
Ah yea - if i'm not wrong, I think that effort was renamed to "Defects Profile", and it was for use case of reporting vulnerabilities as part of the SPDX document! spdx/spdx-spec#733 I love your suggestion of using the profiles as ways to organize and define the interfaces! As more of the SPDX profiles get defined, this will be a great way to build up the libraries. Thank you! |
Circling back here: we have this scoped in another round of work, so we should be adding support relatively soon! We still don't have a good dependency pinned down for generating these SBOMs, however. |
Thanks for checking back! I believe that there's on-going OpenSSF funding request for the python library: ossf/sbom-everywhere#6 Is this something that you are participating / interested in? |
I think so! We have a decent amount of prior experience with SBOM generation, including contributing to other SBOM libraries for Python. What's the best way to proceed here? Is there an specific OSSF point-of-contact that Trail of Bits should email? |
Have a look at SBOM4PYTHON which might do what you need. It generates both SPDX and CyloneDX SBOMs for an installed Python module and all its assoicated dependencies. |
@woodruffw sorry i missed this, I think this is the issue for the python lib funding ossf/sbom-everywhere#6 that @joshbressers has been shepherding |
No problem! Thanks for the update. And thanks for the link @anthonyharrison! |
@woodruffw I've pointed Kate Stewart at this issue, she should be able to hook you up with the folks working on that SBOM library. Feel free to also follow along on the issue @lumjjb added |
@woodruffw - I've pointed the developers at this thread, so hopefully they'll chime in directly. There's a weekly call on Thursdays at 8:30 Pacific where we discuss next steps, etc. You're welcome to join in. Email me directly and I'll point you at details if you want to participate. Similarly, there's spdx/tools-python#244 where the refactoring/cleanup of the python libraries is being discussed. |
Thanks a ton @kestewart! I'm happy to join the weekly call; I'll be in contact over email. |
guessing this went nowhere? |
Nobody has volunteered to do it, if that's what you mean. The feature request itself is still open and I'd be happy to review proposals/PRs that add support for SPDX SBOMs. |
Since any time I find to code, occurs between midnight and whenever I force myself awake until, while being able to turn up to work or be lucid for the family the next day.. I'm not promising anything here, though I will take a look as I do occasionally find time to do things like OWASP cheatsheets or redhat CVSSv4 support To be frank, I was actually referring to the approved funding - but I appreciate the deflection back to us asking in true form to open source it's a team effort, I get it Having said that, what happened here? Funding dry up or something? All promises no real interest in the outcomes? |
I was funded to work on SPDX SBOM integration into pip-audit, but there was a blocker as discussed above, and that funding was used for other maintenance tasks instead. I think the other funding you're referring to is the SPDX Python implementation's own funding, which they got for development on their own repository, not for integration into pip-audit. This isn't really the right place to express generic grievances about funding, and it isn't nice to accuse people of being "all talk no action." With that being said, if you're interested in adding support for SPDX it would be greatly appreciated, and I'd be happy to review the changes. Per above the main requirement is that we use SPDX's official models and Python APIs rather than manually building the SBOM. Edit: corrected facts. |
Is your feature request related to a problem? Please describe.
I would like to be able to generate SPDX SBOM format ('spdx-json' and 'spdx-xml') documents for an application so that I can integrate with other SPDX tooling.
Describe the solution you'd like
I would like there to be an option to emit SPDX format SBOMs and/or CycloneDX SBOMs (CycloneDX already implemented based on discussion in #3).
Describe alternatives you've considered
Alternative solutions would be taking the output of cycloneDX formats and converting it to SPDX format. However, this relies on external tooling which may not have proper conformance testing or maintenance going forward. In addition, the different specifications are working towards new directions (i.e. SPDX with build profiles), and relying on native libraries would be preferred.
The text was updated successfully, but these errors were encountered: