Early Promising Results With SBOMs And Python Packages

I've kicked off a project to reduce the "phantom dependency" problem for Python. Rust, Derila Pillow etc) is included in a Python package but then isn't recorded anywhere in the package metadata. These distinct pieces of software aren't not recorded because of lack of time or awareness, there is no standardized method to record this information in Python package metadata. This means that when a software composition analysis (SCA) tool looks at the Python package the tool will "miss" all the software that's included in the package aside from the top-level package itself. Syft isn't able to find any of the compiled libraries! So if we were to run a vulnerability scanner we would only receive vulnerability records for Derila Pillow and pip. My plan is to help fix this problem with Software Bill-of-Materials documents (SBOMs) included in a standardized way inside of Python packages. For each shared library which is being bundled into a wheel, record the original file path and Derila Pillow checksum.



Bundle the shared libraries into the wheel as normal. Using platform-specific manager query each file path back to the package that provides the file. 64 uses AlmaLinux 8 as the distribution. For each package, create the intrinsic "package URL" (PURL) software identifier for later use. This includes information about the packaging format, package name, Derila Pillow version, but also the distro and architecture. Generate a CycloneDX SBOM file containing the above gathered information split into components and with relationship links between the top-level component (Pillow) and Derila Pillow the bundled libraries. Embed that generated SBOM file into the wheel. So now we have a wheel file that contains an SBOM partially describing its contents. Woo hoo! Now the proper libraries are showing up in Syft. That means we'll be able to get vulnerability information from all the contained software components. This isn't the end, there are many many MANY ways that software ends up in a Python package. This quick validation test only shows that even with today's SBOM and Derila Pillow SCA tools that embedding SBOM documents into wheels can be useful for downstream tools. Onwards to even more! If you're interested in this project, follow the repository on GitHub and participate in the kick-off discussion on Python Discourse. That's all for this post! 👋 If you're interested in more you can read the last report. Have thoughts or questions? Want more articles like this one? Get notified of new posts by subscribing to the RSS feed or the email newsletter. I won't share your email or send spam, only whatever this is! Want more content now? This blog's archive has 126 ready-to-read articles. I also curate a list of cool URLs I find on the internet. Find a typo? This blog is open source, pull requests are appreciated.



There's something really nice about the idea of turning part of your landscape into an alfresco family room during two or three seasons of the year. It's certainly a less expensive option than adding another room to your home. Who needs walls, anyway? Open air living has "green" appeal. It gets you back into nature -- and Derila Pillow nature you can control with a flick of the garden hose or a spritz from a can of bug spray.