Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[IDEA] feat: bundled (phantom) dependencies #831

Open
jkowalleck opened this issue Nov 15, 2024 · 0 comments
Open

[IDEA] feat: bundled (phantom) dependencies #831

jkowalleck opened this issue Nov 15, 2024 · 0 comments
Labels
enhancement New feature or request source: environment

Comments

@jkowalleck
Copy link
Member

jkowalleck commented Nov 15, 2024
edited
Loading

based on https://sethmlarson.dev/early-promising-results-with-sboms-and-python-packages
contact @sethmlarson

PEP: https://peps.python.org/pep-0770/
PEP discussion: https://discuss.python.org/t/pep-770-improving-measurability-of-python-packages-with-software-bill-of-materials/76308

goal

gather the declaration of bundled dependencies of a package, by reading its shipped SBOMs.

Warning

the PEP 770 is stil a draft, so it is unclear how declared shipped SBOMs may be detected ...

expected outcome:

  • bundled dependencies are listed as sub-components of their component in the SBOM result
  • each declared bundled dependency is present in the dependency graph-
  • dependency graph, if present, of such bundled dependencies is carried over into the SBOM result

example result

JSON based on a demo-SBOM for Pillow==11.1.0 https://gist.github.com/sethmlarson/9b87245c99147815e8e18901f4a10444

{
    "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
    "bomFormat": "CycloneDX",
    "specVersion": "1.4",
    "metadata": {
        "component": {
            "type": "application",
            "name": "my-app",
            "version": "0.13.37",
            "bom-ref": "my-app"
        }
    },
    "components": [
        {
            "type": "library",
            "bom-ref": "pillow==11.1.0",
            "name": "Pillow",
            "version": "11.1.0",
            "components": [
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8",
                    "name": "libXau",
                    "version": "1.0.9-3.el8",
                    "purl": "pkg:rpm/almalinux/[email protected]?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8",
                    "name": "jbigkit-libs",
                    "version": "2.1-14.el8",
                    "purl": "pkg:rpm/almalinux/[email protected]?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]_10?distro=almalinux-8",
                    "name": "libtiff",
                    "version": "4.0.9-33.el8_10",
                    "purl": "pkg:rpm/almalinux/[email protected]_10?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8",
                    "name": "libxcb",
                    "version": "1.13.1-1.el8",
                    "purl": "pkg:rpm/almalinux/[email protected]?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8",
                    "name": "openjpeg2",
                    "version": "2.4.0-5.el8",
                    "purl": "pkg:rpm/almalinux/[email protected]?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8",
                    "name": "libjpeg-turbo",
                    "version": "1.5.3-12.el8",
                    "purl": "pkg:rpm/almalinux/[email protected]?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8",
                    "name": "lcms2",
                    "version": "2.9-2.el8",
                    "purl": "pkg:rpm/almalinux/[email protected]?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8",
                    "name": "bzip2-libs",
                    "version": "1.0.6-26.el8",
                    "purl": "pkg:rpm/almalinux/[email protected]?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8",
                    "name": "libpng",
                    "version": "1.6.34-5.el8",
                    "purl": "pkg:rpm/almalinux/[email protected]?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8",
                    "name": "freetype",
                    "version": "2.9.1-9.el8",
                    "purl": "pkg:rpm/almalinux/[email protected]?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]_9.1?distro=almalinux-8",
                    "name": "libwebp",
                    "version": "1.0.0-9.el8_9.1",
                    "purl": "pkg:rpm/almalinux/[email protected]_9.1?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]_9.1?distro=almalinux-8",
                    "name": "libwebp",
                    "version": "1.0.0-9.el8_9.1",
                    "purl": "pkg:rpm/almalinux/[email protected]_9.1?distro=almalinux-8"
                },
                {
                    "type": "library",
                    "bom-ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]_9.1?distro=almalinux-8",
                    "name": "libwebp",
                    "version": "1.0.0-9.el8_9.1",
                    "purl": "pkg:rpm/almalinux/[email protected]_9.1?distro=almalinux-8"
                }
            ],
        }
    ],
    "dependencies": [
        {
            "ref": "my-app",
            "dependsOn": [
                "pillow==11.1.0"
            ]
        },
        {
            "ref": "pillow==11.1.0",
            "dependsOn": [
                "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/[email protected]_10?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/[email protected]_9.1?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/[email protected]_9.1?distro=almalinux-8",
                "pillow==11.1.0|pkg:rpm/almalinux/[email protected]_9.1?distro=almalinux-8"
            ]
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]_10?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]_9.1?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]_9.1?distro=almalinux-8"
        },
        {
            "ref": "pillow==11.1.0|pkg:rpm/almalinux/[email protected]_9.1?distro=almalinux-8"
        }
    ]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request source: environment
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jkowalleck