Software Bill-of-Materials for CPython

Project for generating a Software Bill-of-Materials (SBOM) for CPython release artifacts like source tarballs and binary installers.

SBOMs that have been generated by this script are available in the sboms/ directory.

warning This project is a work-in-progress and this repository isn't the final canonical location for Software Bill-of-Materials documentation for CPython.

Process

• Determine the minimum elements of an SBOM from recommendations by downstream consumers:

  • NTIA Minimum Elements of an SBOM
    • Supplier Name
    • Component Name
    • Version of Component
    • Other Unique Identifiers
    • Dependency Relationship
    • Author of SBOM Data
    • Timestamp
  • SPDX Minimum Elements (How NTIA Minimum Elements maps to SPDX 2.3)
    • PackageSupplier
    • PackageName
    • PackageVersion
    • DocumentNamespace, SPDXID
    • Relationship (CONTAINS)
    • Creator (of the SBOM)
    • Created
  • Other mandatory SPDX 2.3 fields
    • SPDXVersion
    • DataLicense
    • SPDXID (for Document)
    • DocumentName
    • PackageDownloadLocation
    • FilesAnalyzed
    • Relationship (SPDXRef-DOCUMENT DESCRIBES primary package)

• Determine the recommended elements of an SBOM:

  • NTIA Minimum Elements of an SBOM
    • Hash of component
    • Lifecycle Phase
    • Other Component Relationships
    • License information

• Find projects/files of interest that are bundled along with CPython source tarball:

  • curl https://www.python.org/ftp/python/3.11.5/Python-3.11.5.tgz -o Python-3.11.5.tgz
  • tar -xzvf Python-3.11.5.tgz
  • find . -regex '.*/\(README\|LICEN\[SC\]\|COPYING\|NOTICE\).*' >> files-of-interest.txt
  • grep 'license' -ilR . >> files-of-interest.txt
  • sort files-of-interest.txt | uniq -u

• Categorize all the files of interest based on whether there is a component that's sourced differently than CPython. Take note of all of these occurrences. These are captured programmatically in build-sbom.py.

License

CC0-1.0