Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide ability to emit SPDX SBOM formats #251

Open
lumjjb opened this issue Apr 22, 2022 · 21 comments
Open

Provide ability to emit SPDX SBOM formats #251

lumjjb opened this issue Apr 22, 2022 · 21 comments
Labels
component:output-formats Supported output formats enhancement New feature or request

Comments

@lumjjb
Copy link

lumjjb commented Apr 22, 2022

Is your feature request related to a problem? Please describe.

I would like to be able to generate SPDX SBOM format ('spdx-json' and 'spdx-xml') documents for an application so that I can integrate with other SPDX tooling.

Describe the solution you'd like

I would like there to be an option to emit SPDX format SBOMs and/or CycloneDX SBOMs (CycloneDX already implemented based on discussion in #3).

Describe alternatives you've considered

Alternative solutions would be taking the output of cycloneDX formats and converting it to SPDX format. However, this relies on external tooling which may not have proper conformance testing or maintenance going forward. In addition, the different specifications are working towards new directions (i.e. SPDX with build profiles), and relying on native libraries would be preferred.

@lumjjb lumjjb added the enhancement New feature or request label Apr 22, 2022
@woodruffw woodruffw added the component:output-formats Supported output formats label Apr 22, 2022
@woodruffw
Copy link
Member

Thanks for the request, @lumjjb!

When we started designing pip-audit, we selected CycloneDX over SPDX solely because of better Python bindings/library support. That was close to a year ago at this point and so things may have changed, but selecting a reasonable dependency for emitting SPDX SBOMs will be the first step here 🙂

@lumjjb
Copy link
Author

lumjjb commented Apr 22, 2022

Awesome! Sounds good :D.

@swinslow would you be able to recommend some python libraries to look at?

@woodruffw
Copy link
Member

I did a little bit more searching, and couldn't find a good Python library for SPDX SBOM generation (but I might have completely missed it!)

Still open to suggestions here. Otherwise, when we prioritize this, we may have to hand-roll the format.

@lumjjb
Copy link
Author

lumjjb commented Jul 27, 2022

Let me ask around and do some searching too! I'll get back to you!

@lumjjb
Copy link
Author

lumjjb commented Jul 27, 2022

quick question - did you manage to take a look at https://github.com/spdx/tools-python/, what are some interfaces/structures that you think are needed to make it more useful to consume the library?

(Asking this also because I'm working on the golang library :))

@woodruffw
Copy link
Member

I think I saw that repository, but might have mentally categorized it as a CLI tool rather than a Python API. But it looks like it does have a Python API, so I'll take another look, thanks!

@woodruffw
Copy link
Member

what are some interfaces/structures that you think are needed to make it more useful to consume the library?

I might be able to answer this on my own, but in case you know it immediately: where are the right models for generating a "vulnerability profile" for each dependency listed in the SBOM? I see it was standardized here: spdx/spdx-spec#510, and I think that's what we'll need in the context of pip-audit.

@lumjjb
Copy link
Author

lumjjb commented Jul 27, 2022

Ah yea - if i'm not wrong, I think that effort was renamed to "Defects Profile", and it was for use case of reporting vulnerabilities as part of the SPDX document! spdx/spdx-spec#733

I love your suggestion of using the profiles as ways to organize and define the interfaces! As more of the SPDX profiles get defined, this will be a great way to build up the libraries. Thank you!

@woodruffw
Copy link
Member

Circling back here: we have this scoped in another round of work, so we should be adding support relatively soon!

We still don't have a good dependency pinned down for generating these SBOMs, however.

@lumjjb
Copy link
Author

lumjjb commented Sep 28, 2022

Thanks for checking back! I believe that there's on-going OpenSSF funding request for the python library: ossf/sbom-everywhere#6

Is this something that you are participating / interested in?

@woodruffw
Copy link
Member

I think so! We have a decent amount of prior experience with SBOM generation, including contributing to other SBOM libraries for Python.

What's the best way to proceed here? Is there an specific OSSF point-of-contact that Trail of Bits should email?

@anthonyharrison
Copy link

Have a look at SBOM4PYTHON which might do what you need. It generates both SPDX and CyloneDX SBOMs for an installed Python module and all its assoicated dependencies.

@lumjjb
Copy link
Author

lumjjb commented Oct 25, 2022

@woodruffw sorry i missed this, I think this is the issue for the python lib funding ossf/sbom-everywhere#6 that @joshbressers has been shepherding

@woodruffw
Copy link
Member

No problem! Thanks for the update.

And thanks for the link @anthonyharrison!

@joshbressers
Copy link

I think so! We have a decent amount of prior experience with SBOM generation, including contributing to other SBOM libraries for Python.

What's the best way to proceed here? Is there an specific OSSF point-of-contact that Trail of Bits should email?

@woodruffw I've pointed Kate Stewart at this issue, she should be able to hook you up with the folks working on that SBOM library. Feel free to also follow along on the issue @lumjjb added

@kestewart
Copy link

@woodruffw - I've pointed the developers at this thread, so hopefully they'll chime in directly. There's a weekly call on Thursdays at 8:30 Pacific where we discuss next steps, etc. You're welcome to join in. Email me directly and I'll point you at details if you want to participate.

Similarly, there's spdx/tools-python#244 where the refactoring/cleanup of the python libraries is being discussed.

@woodruffw
Copy link
Member

Thanks a ton @kestewart! I'm happy to join the weekly call; I'll be in contact over email.

@0x73746F66
Copy link

guessing this went nowhere?

@woodruffw
Copy link
Member

Nobody has volunteered to do it, if that's what you mean. The feature request itself is still open and I'd be happy to review proposals/PRs that add support for SPDX SBOMs.

@0x73746F66
Copy link

0x73746F66 commented Jun 30, 2024

Since any time I find to code, occurs between midnight and whenever I force myself awake until, while being able to turn up to work or be lucid for the family the next day.. I'm not promising anything here, though I will take a look as I do occasionally find time to do things like OWASP cheatsheets or redhat CVSSv4 support

To be frank, I was actually referring to the approved funding - but I appreciate the deflection back to us asking in true form to open source it's a team effort, I get it

Having said that, what happened here? Funding dry up or something? All promises no real interest in the outcomes?
Seems strange given all the talk on SBOM, or not so surprising it's all talk..

@woodruffw
Copy link
Member

woodruffw commented Jun 30, 2024

Since any time I find to code, occurs between midnight and whenever I force myself awake until, while being able to turn up to work or be lucid for the family the next day.. I'm not promising anything here, though I will take a look as I do occasionally find time to do things like OWASP cheatsheets or redhat CVSSv4 support

To be frank, I was actually referring to the approved funding - but I appreciate the deflection back to us asking in true form to open source it's a team effort, I get it

Having said that, what happened here? Funding dry up or something? All promises no real interest in the outcomes?
Seems strange given all the talk on SBOM, or not so surprising it's all talk..

I was funded to work on SPDX SBOM integration into pip-audit, but there was a blocker as discussed above, and that funding was used for other maintenance tasks instead. I think the other funding you're referring to is the SPDX Python implementation's own funding, which they got for development on their own repository, not for integration into pip-audit.

This isn't really the right place to express generic grievances about funding, and it isn't nice to accuse people of being "all talk no action." With that being said, if you're interested in adding support for SPDX it would be greatly appreciated, and I'd be happy to review the changes. Per above the main requirement is that we use SPDX's official models and Python APIs rather than manually building the SBOM.

Edit: corrected facts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component:output-formats Supported output formats enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

6 participants