Comments (8)
Hey @rjb4standards, thanks for opening this issue.
The SBOM that's checked-in to source control isn't the complete SBOM for CPython, it only tracks the metadata of bundled dependencies. The complete SBOM is assembled during the build and release process. You can download them from the release pages of 3.12.2 and onwards (click on the "SPDX" in the table). For example, the SBOM for the Python-3.12.3.tgz
tarball is here.
from cpython.
Perfect - this SBOM works fine. I have created a baseline Vulnerability Disclosure Report for this SBOM, based on the open source SBOM VDR schema; https://github.com/rjb4standards/REA-Products/blob/master/SAGVulnDisclosure.xsd
NOTE: I advise following the NTIA framing "convention" and make CPython the "primary component" (first component in SBOM) .
The current SBOM indicates that cachecontrol is the primary component see attached VDR for more details:
"ProductName": "cachecontrol",
"ProductVersion": "0.13.1",
pythonVDR.json
from cpython.
cc @sethmlarson
from cpython.
@sethmlarson feel free to reach out, I am one of the co-authors of the SPDX V 2.3 spec.
https://spdx.github.io/spdx-spec/v2.3/
Dick Brooks
from cpython.
Here
SAG-PM_SBOM_V1_2_3.json
is an example SPDX V 2.3 SBOM that passes the online validation test:
from cpython.
Glad that worked for you @rjb4standards. The CPython SBOM uses the "DESCRIBES" relationship to indicate the primary component to be the CPython package, is there another way that we should be indicating the primary package? I wasn't able to find a reference for the ordering of the packages
field having meaning in an SBOM.
from cpython.
@sethmlarson the NTIA SBOM Framing document recommends that the first component in the SBOM is the primary component (product name), this approach works for both CycloneDX and SPDX - see page 8 and section 4.2 regarding "primary component"
https://www.ntia.gov/sites/default/files/publications/ntia_sbom_framing_2nd_edition_20211021_0.pdf
from cpython.
Knowing that the first component is the "product" makes it easier on those of us writing SBOM parsing tools - this eliminates the nuance of knowing each SBOM format's specific approach.
from cpython.
Related Issues (20)
- Implement the fast path for `list.__getitem__` HOT 4
- Documentation of pathlib.Path methods is disorganised
- Make ZeroDivisionError message more precise when floor-dividing by zero HOT 7
- Popen.send_signal(sigint.SIGKILL) does not seem to work with Popen(*, shell=True)? HOT 4
- Make Python 3.13 coroutines work with multithreading automatically like Goroutines does and some like `go` keyword for later. HOT 1
- Test with the path protocol, not with pathlib.Path
- String module should have a string like printable but without whitespace HOT 10
- Version numbers not supported for shebang line virtual command /usr/bin/env python on windows HOT 7
- "No module named 'Cython'", but only when installing a package and only with pip 23.1 or later HOT 2
- pyrepl doesn't print result if any part came from paste HOT 2
- venv tutorial wrong/confusing about python version used HOT 8
- weird behavior of the import statement HOT 1
- Backport changes from python/cpython#119065 HOT 1
- Regular Expression: re.split behavior weird when have a sub pattern HOT 5
- "TypeError: catching classes that do not inherit from BaseException is not allowed" error when using generic in `except` block HOT 4
- Misleading sqlite3.Cursor.rowcount docs HOT 3
- New pyrepl gives a traceback on exit with "dumb" terminal HOT 11
- Unable to build to WASI HOT 8
- Inconsistent KeyboardInterrupt Handling in multiprocessing due to Context Manager Order
- difflib.py Differ.compare is too slow [for degenerate cases] HOT 36
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cpython.