Add pip to SBOM at release stage #96

sethmlarson · 2024-02-09T17:22:37Z

Closes #91 This moves the pip SBOM discovery machinery from the CPython repository to this repository to not require pip maintainers to update the SBOM every time, saving difficulties with backporting and a bunch of manual effort.

There will be a follow-up PR to the CPython repository removing the machinery there once this PR lands.

The SBOM diff between running this script on Python-3.12.2.tgz:

4c4
<     "created": "2024-02-06T20:56:29Z",
---
>     "created": "2024-02-09T17:13:23Z",
7c7
<       "Tool: ReleaseTools-f39e1557464bc7d14019a88cb8257545ed4104f3\n"
---
>       "Tool: ReleaseTools-a5b55c248715c96d4d5207717bc2942a10b4b99d\n"
85980,85984d85979
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-cachecontrol",
<       "relationshipType": "DEPENDS_ON",
85990,85994d85984
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-certifi",
<       "relationshipType": "DEPENDS_ON",
86000,86004d85989
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-chardet",
<       "relationshipType": "DEPENDS_ON",
86010,86014d85994
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-colorama",
<       "relationshipType": "DEPENDS_ON",
86025,86029d86004
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-distlib",
<       "relationshipType": "DEPENDS_ON",
86035,86039d86009
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-distro",
<       "relationshipType": "DEPENDS_ON",
86055,86059d86024
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-idna",
<       "relationshipType": "DEPENDS_ON",
86080,86084d86044
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-msgpack",
<       "relationshipType": "DEPENDS_ON",
86090,86094d86049
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-packaging",
<       "relationshipType": "DEPENDS_ON",
86105,86109d86059
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-platformdirs",
<       "relationshipType": "DEPENDS_ON",
86115,86119d86064
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-pygments",
<       "relationshipType": "DEPENDS_ON",
86125,86129d86069
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-pyparsing",
<       "relationshipType": "DEPENDS_ON",
86135,86139d86074
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-pyproject-hooks",
<       "relationshipType": "DEPENDS_ON",
86145,86149d86079
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-requests",
<       "relationshipType": "DEPENDS_ON",
86155,86159d86084
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-resolvelib",
<       "relationshipType": "DEPENDS_ON",
86165,86169d86089
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-rich",
<       "relationshipType": "DEPENDS_ON",
86175,86179d86094
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-setuptools",
<       "relationshipType": "DEPENDS_ON",
86185,86189d86099
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-six",
<       "relationshipType": "DEPENDS_ON",
86195,86199d86104
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-tenacity",
<       "relationshipType": "DEPENDS_ON",
86205,86209d86109
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-tomli",
<       "relationshipType": "DEPENDS_ON",
86215,86219d86114
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-truststore",
<       "relationshipType": "DEPENDS_ON",
86225,86229d86119
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-typing-extensions",
<       "relationshipType": "DEPENDS_ON",
86235,86239d86124
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-urllib3",
<       "relationshipType": "DEPENDS_ON",
86241,86245d86125
<     },
<     {
<       "relatedSpdxElement": "SPDXRef-PACKAGE-webencodings",
<       "relationshipType": "DEPENDS_ON",
<       "spdxElementId": "SPDXRef-PACKAGE-cpython"

Notice this removes all the direct relationships between CPython and pip's subpackages, this is a good thing IMO since CPython doesn't directly depend on these packages. This still lets tools like scanners discover vulnerabilities because CPython still has a dependency relationship with pip.

sethmlarson · 2024-02-09T17:44:25Z

sbom.py

+        raise ValueError(f"Couldn't fetch metadata for project '{project}' from PyPI: {e}")
+
+
+def remove_pip_from_sbom(sbom_data: dict[str, typing.Any]) -> None:


I'll be able to remove this function once I remove pip from the SBOM in the CPython source code.

sethmlarson · 2024-02-09T17:44:53Z

sbom.py

            "Tarball doesn't contain an SBOM at 'Misc/sbom.spdx.json'"
        ) from None
    sbom_bytes = tarball.extractfile(sbom_tarball_member).read()
+    sbom_data = json.loads(sbom_bytes)


Changed this variable name to match everywhere in this script.

tests/test_sbom.py

Co-authored-by: Ezio Melotti <[email protected]>

hugovk

There will be a follow-up PR to the CPython repository removing the machinery there once this PR lands.

And after that update https://devguide.python.org/developer-workflow/sbom/.

Add pip to SBOM at release stage

a5b55c2

sethmlarson commented Feb 9, 2024

View reviewed changes

ezio-melotti reviewed Feb 9, 2024

View reviewed changes

tests/test_sbom.py Outdated Show resolved Hide resolved

Sort imports

094f93b

Co-authored-by: Ezio Melotti <[email protected]>

hugovk approved these changes Feb 10, 2024

View reviewed changes

sethmlarson merged commit d29c9c3 into python:master Feb 12, 2024

sethmlarson deleted the pip-sbom branch February 12, 2024 18:06

sethmlarson mentioned this pull request Feb 12, 2024

gh-112302: Move pip SBOM discovery to release-tools python/cpython#115360

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Add pip to SBOM at release stage #96

Add pip to SBOM at release stage #96

Uh oh!

sethmlarson commented Feb 9, 2024

Uh oh!

sethmlarson Feb 9, 2024

Uh oh!

sethmlarson Feb 9, 2024

Uh oh!

Uh oh!

hugovk left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

		raise ValueError(f"Couldn't fetch metadata for project '{project}' from PyPI: {e}")


		def remove_pip_from_sbom(sbom_data: dict[str, typing.Any]) -> None:

Uh oh!

Add pip to SBOM at release stage #96

Add pip to SBOM at release stage #96

Uh oh!

Conversation

sethmlarson commented Feb 9, 2024

Uh oh!

sethmlarson Feb 9, 2024

Choose a reason for hiding this comment

Uh oh!

sethmlarson Feb 9, 2024

Choose a reason for hiding this comment

Uh oh!

Uh oh!

hugovk left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants