SBOM invalid in https://github.com/python/cpython/blob/main/Misc/sbom.spdx.json about cpython HOT 8 OPEN

Hey @rjb4standards, thanks for opening this issue.

The SBOM that's checked-in to source control isn't the complete SBOM for CPython, it only tracks the metadata of bundled dependencies. The complete SBOM is assembled during the build and release process. You can download them from the release pages of 3.12.2 and onwards (click on the "SPDX" in the table). For example, the SBOM for the Python-3.12.3.tgz tarball is here.

from cpython.

Perfect - this SBOM works fine. I have created a baseline Vulnerability Disclosure Report for this SBOM, based on the open source SBOM VDR schema; https://github.com/rjb4standards/REA-Products/blob/master/SAGVulnDisclosure.xsd

NOTE: I advise following the NTIA framing "convention" and make CPython the "primary component" (first component in SBOM) .
The current SBOM indicates that cachecontrol is the primary component see attached VDR for more details:
"ProductName": "cachecontrol",
"ProductVersion": "0.13.1",
pythonVDR.json

from cpython.

cc @sethmlarson

from cpython.

@sethmlarson feel free to reach out, I am one of the co-authors of the SPDX V 2.3 spec.
https://spdx.github.io/spdx-spec/v2.3/

Dick Brooks

from cpython.

Here
SAG-PM_SBOM_V1_2_3.json
is an example SPDX V 2.3 SBOM that passes the online validation test:

from cpython.

Glad that worked for you @rjb4standards. The CPython SBOM uses the "DESCRIBES" relationship to indicate the primary component to be the CPython package, is there another way that we should be indicating the primary package? I wasn't able to find a reference for the ordering of the packages field having meaning in an SBOM.

from cpython.

@sethmlarson the NTIA SBOM Framing document recommends that the first component in the SBOM is the primary component (product name), this approach works for both CycloneDX and SPDX - see page 8 and section 4.2 regarding "primary component"

https://www.ntia.gov/sites/default/files/publications/ntia_sbom_framing_2nd_edition_20211021_0.pdf

from cpython.

Knowing that the first component is the "product" makes it easier on those of us writing SBOM parsing tools - this eliminates the nuance of knowing each SBOM format's specific approach.

from cpython.