sbom4python icon indicating copy to clipboard operation
sbom4python copied to clipboard
verified publisher icon anthonyharrison

Generate SBOM from pyinstaller archive file

Open anthonyharrison opened this issue 1 year ago • 3 comments

Currently sbom4python extracts metadata from the Python package manager (pip). A useful enhancement would be to extract information from a pyinstaller archive file.

anthonyharrison avatar Sep 07 '24 12:09 anthonyharrison

I do confirm that this is something that would be very desirable. The pyinstaller bundles are like black boxes and the process of including or excluding packages is unclear. Of course it includes our dependencies and the hooks that we explicitely declare. But it also includes many dlls and builtin packages. It might also includes some stuff specific to pyinstaller itself but what? And it includes the python interpreter. So when producing an sbom for a product bundled with pyinstaller, all these elements are to be considered.

Thank you for your efforts on that issue!

dlebelcimmi avatar Sep 13 '24 14:09 dlebelcimmi

Looking for any help in understanding the pyinstaller file structure.

anthonyharrison avatar Sep 19 '24 21:09 anthonyharrison

Hi Anthony, You might have come across this discussion : https://github.com/pyinstaller/pyinstaller/issues/8088. The pyinstaller devs seems reluctant at implementing an sbom generator themselves for pyinstaller bundles. But they might help in giving some insight about the bundling process. Moreover, there are some cues in the discussion about how the bundles are described with a.pure, a.datas, a.binaries tables of contents. And Joerki seems to have developed a solution for himself. You might get in touch with him and get some help on the subject.

dlebelcimmi avatar Sep 20 '24 14:09 dlebelcimmi