pip cataloger should support repository url

[sambhav]

What would you like to be added:

when pip packages are installed from non default pip indices (pypi), we should store the pip repository url in the sbom

Why is this needed: useful to know the origin of a package

Additional context:

[wagoodman]

This is a great idea --do you happen to know if this information is stored for each package installed? That is, if looking at a site-packages directory with several installations, is it possible to locally conclude which local package was specifically pulled from which pip index?

[sambhav]

@wagoodman - sadly it looks like this information is not available. cc: @pradyunsg if you have any more details.

[pradyunsg]

This information is not stored in the metadata by pip.

The only way to get this is going to be possible is by controlling the pip install call, and checking what index URL it is using (likely by using pip config and PIP_INDEX_URL).

[sambhav]

@pradyunsg that might be tricky though right? pip might have installed it from one of the extra index urls or via find-links, some of which may also be project specific configuration rather than a global pip opt. Would it be worth opening an issue for pip to store this metadata? The rationale being that certain index servers might store different copies of the same package/version and we might want to identify the origin in the output SBOM/vuln analysis.

[pradyunsg]

You might want to check with pip-audit folks, who are generating SBOMs. If that doesn't go anywhere, filing an issue against pip seems reasonable to me!

[sambhav]

Created https://github.com/pypa/pip/issues/10736

[luhring]

IIUC, we should consider this issue "blocked" until the data is available for Syft to observe in the scan target. If I'm wrong here, just let me know! 😄