Project for generating a Software Bill-of-Materials (SBOM) for CPython release artifacts like source tarballs and binary installers.
SBOMs that have been generated by this script are available in the sboms/
directory.
warning This project is a work-in-progress and this repository isn't the final canonical location for Software Bill-of-Materials documentation for CPython.
-
Determine the minimum elements of an SBOM from recommendations by downstream consumers:
- NTIA Minimum Elements of an SBOM
- Supplier Name
- Component Name
- Version of Component
- Other Unique Identifiers
- Dependency Relationship
- Author of SBOM Data
- Timestamp
- SPDX Minimum Elements (How NTIA Minimum Elements maps to SPDX 2.3)
PackageSupplier
PackageName
PackageVersion
DocumentNamespace
,SPDXID
Relationship
(CONTAINS
)Creator
(of the SBOM)Created
- Other mandatory SPDX 2.3 fields
SPDXVersion
DataLicense
SPDXID
(for Document)DocumentName
PackageDownloadLocation
FilesAnalyzed
Relationship
(SPDXRef-DOCUMENT
DESCRIBES
primary package)
- NTIA Minimum Elements of an SBOM
-
Determine the recommended elements of an SBOM:
- NTIA Minimum Elements of an SBOM
- Hash of component
- Lifecycle Phase
- Other Component Relationships
- License information
- NTIA Minimum Elements of an SBOM
-
Find projects/files of interest that are bundled along with CPython source tarball:
curl https://www.python.org/ftp/python/3.11.5/Python-3.11.5.tgz -o Python-3.11.5.tgz
tar -xzvf Python-3.11.5.tgz
find . -regex '.*/\(README\|LICEN\[SC\]\|COPYING\|NOTICE\).*' >> files-of-interest.txt
grep 'license' -ilR . >> files-of-interest.txt
sort files-of-interest.txt | uniq -u
-
Categorize all the files of interest based on whether there is a component that's sourced differently than CPython. Take note of all of these occurrences. These are captured programmatically in
build-sbom.py
.
CC0-1.0