Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gh-113257: Automatically generate pip SBOM metadata from wheel #113295

Merged
merged 2 commits into from Dec 20, 2023
Merged

gh-113257: Automatically generate pip SBOM metadata from wheel #113295

merged 2 commits into from Dec 20, 2023

Conversation

sethmlarson
Copy link
Contributor

@sethmlarson sethmlarson commented Dec 19, 2023
edited by bedevere-app bot

Part of #112302
Closes #113257

This came up during #113249, basically we can actually automate pip's SBOM metadata because it's a part of a packaging ecosystem unlike most of the other dependencies in CPython's source tree.

@bedevere-app bedevere-app bot mentioned this pull request Dec 19, 2023
Closed
@sethmlarson
Copy link
Contributor Author

This PR also fixes a bit of pip metadata, the SHA256 value for the package downloadLocation wasn't updated. I should add some automation to check those values match as well.

hugovk
hugovk reviewed Dec 20, 2023
View reviewed changes
Tools/build/generate_sbom.py Outdated Show resolved Hide resolved
Tools/build/generate_sbom.py Outdated Show resolved Hide resolved
Tools/build/generate_sbom.py Show resolved Hide resolved
Tools/build/generate_sbom.py Outdated Show resolved Hide resolved
Misc/sbom.spdx.json Show resolved Hide resolved
Tools/build/generate_sbom.py Show resolved Hide resolved
@sethmlarson @hugovk
Use sys.exit(), remove unnecessary global for CPYTHON_ROOT_DIR
5f33b38 
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
@sethmlarson
Copy link
Contributor Author

Thanks @hugovk, I've applied your suggestions in 5f33b38

hugovk
hugovk approved these changes Dec 20, 2023
View reviewed changes
Copy link
Member

@hugovk hugovk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@hugovk hugovk enabled auto-merge (squash) December 20, 2023 17:03
@hugovk hugovk merged commit b221e03 into python:main Dec 20, 2023
37 checks passed
@sethmlarson sethmlarson deleted the pip-sbom-auto branch December 20, 2023 17:58
@sethmlarson sethmlarson mentioned this pull request Dec 20, 2023
Merged
ryan-duve pushed a commit to ryan-duve/cpython that referenced this pull request Dec 26, 2023
@sethmlarson @hugovk @ryan-duve
pythongh-113257: Automatically generate pip SBOM metadata from wheel (p…
924c0eb 
…ython#113295)

Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
kulikjak pushed a commit to kulikjak/cpython that referenced this pull request Jan 22, 2024
@sethmlarson @hugovk @kulikjak
pythongh-113257: Automatically generate pip SBOM metadata from wheel (p…
da0d998 
…ython#113295)

Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
aisk pushed a commit to aisk/cpython that referenced this pull request Feb 11, 2024
@sethmlarson @hugovk @aisk
pythongh-113257: Automatically generate pip SBOM metadata from wheel (p…
7d75add 
…ython#113295)

Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hugovk hugovk hugovk approved these changes

Assignees
No one assigned
Labels
skip news
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Automate pip's SBOM package entry
2 participants
@sethmlarson @hugovk