Native SBOM Export support #11693
Comments
This comment has been minimized.
This comment has been minimized.
|
Thanks Nils, the first question I have, should the integration of an external Golang dependency (Like Anchore Syft) could be an option ? I don't think it is a good option anyway. Otherwise other PHP-based options to look into are:
|
|
@fredden yes, sorry made this in a hurry just to have a reference point, updated the issue now. |
|
@paolomainardi Adding a golang dependency is definitely not an option. Those two you mention would have been my starting point too. Question is a bit if we want to/need to pick one or if we want to support multiple options? |
|
For the third-party Golang binary, it's agreeable and understandable; I just wanted to be sure before getting out the idea from the table. That was my question, too; binding to only CycloneDX or SPDX is limiting and opinionated. The best would be having a way to choose your preferred format from the most used ones, with the downside of maintaining ideally much more code. Before considering a custom solution, I would like to dive deep into Syft/Trivy/BOM to understand how they solved this issue. I can do that and come back with some findings. |
|
https://github.com/composer/spdx-licenses is not a SBOM solution at all. It is a validator for SPDX license identifiers (which is already used inside composer, which is the reason why it was created in the first place). |
|
Ok thanks for clarifying @stof |
|
👋 Hi there,
Just read how https://github.com/CycloneDX/cyclonedx-php-composer works. It is a plugin for composer that utilizes composer's internals. Previous feature requests for native SBOM support in |
|
Ok thanks @jkowalleck I will reach out to you soon, thanks. The question was mostly related to how support multiple formats, like the other tools I mentioned above and how they handle (if they) convert from/to different formats. |
|
@naderman as you're asking for the format and native is in the title, the file format should be JSON Text based as the rest in Composer. And what would be useful is to seal the project incl. vendor as otherwise an SBOM would not make much sense as being only volatile and temporal, not manifested. Which makes me thinking: It could be part of the lock file as it contains already a "bill of materials" and then an SBOM would be from that transaction. That would indeed be a benefit of being native in Composer, as it could be made part of the update process and taking care of the vendor folder remains the obligation of the user (as well as taking care of the lock file itself etc.), so no overhead of sealing it etc. natively in Composer, as it is not needed. Once solved per a root project, it could be made reciprocal and then each composer.json can ship with their bill and per each vendor folder, the information collected. So there could be for package authors an option to commit/export the SBOM from the lock file to the composer.json file for publishing. Just my 2 cents. |
|
Dependencies don't have a lock file (nor a vendor folder) |
|
After an initial round of testing within Box, I think:
SBOMFactory::generate(
CycloneDXVersion $version,
CycloneDXFormat $format,
array $decodedComposerJsonContent,
?array $decodedComposerLockContent, // May not be present, e.g. if skipped
array $composerInstalledPhpContent, // May not be present if deps are not installed; but I don't think you can have a reliable SBOM without
): string { ... };
|
Whatever you are referring to, this is just wrong. The https://github.com/CycloneDX/cyclonedx-php-composer does NOT offer any public API. It offers a CLI and nothing more, no API. |
|
@jkowalleck sorry, honestly I don't know what's your beef, I'm trying to provide helpful feedback, maybe stop a bit with "no this is wrong/hijicking" kind of attitude? I am not as organised or I sometimes struggle to articulate my thoughts, apologies for it. But also that's just who I am, no need to be aggressive or take it as if I purposely do this to rub you off the wrong way. And at some point, you can also take the feedback and re-organise it to fit your standards. If you can't, then let's please ignore each other for both of our sake, it's draining on me too. On your comment regarding the package, then let's me scratch:
To: I find the consumer API offered by https://github.com/CycloneDX/cyclonedx-php-composer inadequate for the purpose of integrating CycloneDX within Composer†/Box/other third party††. †: I have no authority there, it is only my opinion given my limited knowledge of how Composer works. What I think would help is the following API (same as suggested above): SBOMFactory::generate(
CycloneDXVersion $version,
CycloneDXFormat $format,
array $decodedComposerJsonContent,
?array $decodedComposerLockContent, // May not be present, e.g. if skipped
array $composerInstalledPhpContent, // May not be present if deps are not installed; but I don't think you can have a reliable SBOM without
): string { ... };It could be an interface, doesn't need to be static... This is details, I think the above captures well enough the intent and need. Given such a package exposing this API, then be it Composer/Box or even the current https://github.com/CycloneDX/cyclonedx-php-composer, would IMO be easier. |
|
@theofidry, I very sorry, I did not mean to offend you personally. I am sure you had the best intention with your post, and you will find my reaction purely and fact-based, focussing on the idea and not on the person that wrote it. (for example, I wrote "this is just wrong", not "you are just wrong"). If my language sound rude to your ears, this might be because English is a pidgin language for me. I am no native speaker.
Which one? Could we please stop talking about utilizing https://github.com/CycloneDX/cyclonedx-php-composer in the first place? This is no personal offense: Since we are all here to improve Based on analysis of
The previous mentioned edge cases exist. @theofidry, could you take Question to all: what are your expectations on the SBOM idea here? |
|
Just a few thoughts here:
|
|
@jkowalleck maybe I too thinks too much to the heart as well, as there was no ill intent, I apologize as well and let's move forward with this project!
I think for the most part, if the SBOM is dumped alongside the In the case of PHARs specifically (generated by Box or not), which remains today a very popular method to distribute PHP CLI applications, it will also likely be good enough for most scenarios.
I think the answer largely depends on the answer to this question: if a bundling tool, in our case a PHAR bundler such as Box or Autoload, adds pieces of their own code to the built and distributed PHAR, are they required to have an entry in the SBOM? If yes to what degree? For context, it is very common for a PHAR bundler to ship their own stub as the PHP default one is really bad. And in the case of Box there it goes further by adding its own (tiny and lightweight) application, the requirement checker, to improve the UX when the environment used fail to meet the requirements to execute the application bundled in the PHAR. Otherwise, Box largely rely on the project to be a Composer project and for non Composer projects, or cases where the Composer files are removed, there is already extension points to manage it so I would say it falls under the responsibility of the user. |
I cannot speak for others, but my aforementioned Autoload Project - as the name suggests - merely adds an autoloader as the stub when building a phar. Apart from that the tool needs some major refactoring it doesn't add anything else. While of course technically code, to me a map based autoloader is more a configuration than anything else. And it would be almost identical when not using a phar but my tool to generate the runtime map. On the other hand: Do we consider the composer generated autoloader as something that needs to be represented in SBOMs? If so, we need to add some sort of entry for either. If not, there is nothing Autoload adds to the package. |
Probably, but what constitutes SBOM requirements differs greatly between projects and companies. In general a Composer package (whatever a package is) often is a PHP package and PHP is based on script files (apart from the binaries), therefore 100% path coverage looks legit to me. But I also know that such requirements differ and I can imagine for some projects it's enough if the SBOM is a listing of the packages only (again, whatever a package is) and everything else, including Composer, implicit and not required. Maybe project maintainers that already have SBOM requirements can chime in and share some feedback from existing practice and tell their requirements are, how those evolved, the rationale behind and how they understand their practice and recommendations from lived practice? Perhaps the Fossology project now being a Composer project for quite some time already has such requirements and can share on that specifically? Just my 2 cents. |
|
I didn't have much time last week, but I plan to get aligned on the progress you discuss here in the next few days. In the meantime, could this library https://github.com/CycloneDX/cyclonedx-php-library serve as a starting point for building a native solution? UPDATE: I don't think so, it requires PHP >= 8.1 and as @Seldaek we have to support from 7.2 on. |
|
@paolomainardi I would still suggest to use the library as a starting point. It probably will help out to flesh out the requirements and the DX desired. |
|
the library includes schema validators that you might utilize during your own development processes. |
Composer should have a built in command to export an SBOM (Software Bill of Materials). Need to still work out what format(s) to support and what kind of options may be necessary to make this useful.
The text was updated successfully, but these errors were encountered: