brew icon indicating copy to clipboard operation
brew copied to clipboard
verified publisher icon Homebrew

Include language package manager (e.g. `cargo`, `npm`, go modules) information in SBOMs

Open carlocab opened this issue 1 year ago • 5 comments

Verification

  • [X] This issue's title and/or description do not reference a single formula e.g. brew install wget. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.

Provide a detailed description of the proposed feature

The sbom.spdx.json contains dependency information for dependencies managed by brew. We should include dependency information for those not managed by brew as well.

What is the motivation for the feature?

More complete SBOMs. It will also improve our ability to track CVEs that affect formulae.

How will the feature be relevant to at least 90% of Homebrew users?

It probably won't be.

What alternatives to the feature have been considered?

  • the status quo
  • another mechanism for tracking non-Homebrew dependencies

carlocab avatar Jun 04 '24 07:06 carlocab

Good idea, thanks @carlocab!

MikeMcQuaid avatar Jun 04 '24 08:06 MikeMcQuaid

@carlocab do you have an example of some data you would like to see included?

SMillerDev avatar Jul 09 '24 11:07 SMillerDev

Could be worth starting with something like npm which provides npm sbom and decide what parts of that should be included.

Cargo may be easier once RFC https://github.com/rust-lang/rfcs/pull/3553 provides a similar feature. Some repositories use tools like cargo-auditable to put related information inside the binaries.

May need to see how large these can get since the dependency trees can be quite large.

Though, homebrew-pip-audit is using osv-scanner so a variation on previous PR for lock files (https://github.com/Homebrew/brew/pull/14835) could be more useful if we want to build tooling around auditing our own formulae. osv-scanner supports Cargo.lock, Gemfile.lock, etc.

cho-m avatar Sep 22 '24 00:09 cho-m

@carlocab do you have an example of some data you would like to see included?

Not really, sorry! It's really more that our SBOMs already contain dependency information when those dependencies are on other formulae. Ideally the dependency information would be more complete by including non-formula dependencies too.

At minimum, I guess, we should include the names and versions of language package manager dependencies in the SBOMs.

carlocab avatar Sep 22 '24 12:09 carlocab

Could be worth starting with something like npm which provides npm sbom and decide what parts of that should be included.

Agreed. Note: given all our SBOM reproducibility issues: this needs to be done at bottle pour time.

@carlocab thanks for clarifying!

MikeMcQuaid avatar Sep 23 '24 07:09 MikeMcQuaid

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

github-actions[bot] avatar Jun 28 '25 00:06 github-actions[bot]