pip-audit icon indicating copy to clipboard operation
pip-audit copied to clipboard
verified publisher icon pypa

Provide ability to emit SPDX SBOM formats

Open lumjjb opened this issue 4 years ago • 21 comments

Is your feature request related to a problem? Please describe.

I would like to be able to generate SPDX SBOM format ('spdx-json' and 'spdx-xml') documents for an application so that I can integrate with other SPDX tooling.

Describe the solution you'd like

I would like there to be an option to emit SPDX format SBOMs and/or CycloneDX SBOMs (CycloneDX already implemented based on discussion in https://github.com/trailofbits/pip-audit/issues/3).

Describe alternatives you've considered

Alternative solutions would be taking the output of cycloneDX formats and converting it to SPDX format. However, this relies on external tooling which may not have proper conformance testing or maintenance going forward. In addition, the different specifications are working towards new directions (i.e. SPDX with build profiles), and relying on native libraries would be preferred.

lumjjb avatar Apr 22 '22 12:04 lumjjb

Thanks for the request, @lumjjb!

When we started designing pip-audit, we selected CycloneDX over SPDX solely because of better Python bindings/library support. That was close to a year ago at this point and so things may have changed, but selecting a reasonable dependency for emitting SPDX SBOMs will be the first step here 🙂

woodruffw avatar Apr 22 '22 13:04 woodruffw

Awesome! Sounds good :D.

@swinslow would you be able to recommend some python libraries to look at?

lumjjb avatar Apr 22 '22 14:04 lumjjb

I did a little bit more searching, and couldn't find a good Python library for SPDX SBOM generation (but I might have completely missed it!)

Still open to suggestions here. Otherwise, when we prioritize this, we may have to hand-roll the format.

woodruffw avatar Jul 26 '22 14:07 woodruffw

Let me ask around and do some searching too! I'll get back to you!

lumjjb avatar Jul 27 '22 14:07 lumjjb

quick question - did you manage to take a look at https://github.com/spdx/tools-python/, what are some interfaces/structures that you think are needed to make it more useful to consume the library?

(Asking this also because I'm working on the golang library :))

lumjjb avatar Jul 27 '22 14:07 lumjjb

I think I saw that repository, but might have mentally categorized it as a CLI tool rather than a Python API. But it looks like it does have a Python API, so I'll take another look, thanks!

woodruffw avatar Jul 27 '22 14:07 woodruffw

what are some interfaces/structures that you think are needed to make it more useful to consume the library?

I might be able to answer this on my own, but in case you know it immediately: where are the right models for generating a "vulnerability profile" for each dependency listed in the SBOM? I see it was standardized here: https://github.com/spdx/spdx-spec/pull/510, and I think that's what we'll need in the context of pip-audit.

woodruffw avatar Jul 27 '22 14:07 woodruffw

Ah yea - if i'm not wrong, I think that effort was renamed to "Defects Profile", and it was for use case of reporting vulnerabilities as part of the SPDX document! https://github.com/spdx/spdx-spec/pull/733

I love your suggestion of using the profiles as ways to organize and define the interfaces! As more of the SPDX profiles get defined, this will be a great way to build up the libraries. Thank you!

lumjjb avatar Jul 27 '22 15:07 lumjjb

Circling back here: we have this scoped in another round of work, so we should be adding support relatively soon!

We still don't have a good dependency pinned down for generating these SBOMs, however.

woodruffw avatar Sep 28 '22 03:09 woodruffw

Thanks for checking back! I believe that there's on-going OpenSSF funding request for the python library: https://github.com/ossf/sbom-everywhere/issues/6

Is this something that you are participating / interested in?

lumjjb avatar Sep 28 '22 13:09 lumjjb

I think so! We have a decent amount of prior experience with SBOM generation, including contributing to other SBOM libraries for Python.

What's the best way to proceed here? Is there an specific OSSF point-of-contact that Trail of Bits should email?

woodruffw avatar Sep 28 '22 14:09 woodruffw

Have a look at SBOM4PYTHON which might do what you need. It generates both SPDX and CyloneDX SBOMs for an installed Python module and all its assoicated dependencies.

anthonyharrison avatar Oct 25 '22 07:10 anthonyharrison

@woodruffw sorry i missed this, I think this is the issue for the python lib funding https://github.com/ossf/sbom-everywhere/issues/6 that @joshbressers has been shepherding

lumjjb avatar Oct 25 '22 13:10 lumjjb

No problem! Thanks for the update.

And thanks for the link @anthonyharrison!

woodruffw avatar Oct 25 '22 18:10 woodruffw

I think so! We have a decent amount of prior experience with SBOM generation, including contributing to other SBOM libraries for Python.

What's the best way to proceed here? Is there an specific OSSF point-of-contact that Trail of Bits should email?

@woodruffw I've pointed Kate Stewart at this issue, she should be able to hook you up with the folks working on that SBOM library. Feel free to also follow along on the issue @lumjjb added

joshbressers avatar Oct 25 '22 23:10 joshbressers

@woodruffw - I've pointed the developers at this thread, so hopefully they'll chime in directly. There's a weekly call on Thursdays at 8:30 Pacific where we discuss next steps, etc. You're welcome to join in. Email me directly and I'll point you at details if you want to participate.

Similarly, there's https://github.com/spdx/tools-python/issues/244 where the refactoring/cleanup of the python libraries is being discussed.

kestewart avatar Oct 26 '22 15:10 kestewart

Thanks a ton @kestewart! I'm happy to join the weekly call; I'll be in contact over email.

woodruffw avatar Oct 26 '22 15:10 woodruffw