Create utility for generating SBOM from artifacts #82
Conversation
|
How should this be run? ❯ p sbom.py
Traceback (most recent call last):
File "/Users/hugo/github/release-tools/sbom.py", line 274, in <module>
tarball_path = sys.argv[1]
~~~~~~~~^^^
IndexError: list index out of range
❯ p sbom.py -h
Traceback (most recent call last):
File "/Users/hugo/github/release-tools/sbom.py", line 277, in <module>
create_sbom_for_source_tarball(tarball_path), indent=2, sort_keys=True
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/hugo/github/release-tools/sbom.py", line 103, in create_sbom_for_source_tarball
raise ValueError(f"Unknown tarball format: '{tarball_name}'")
ValueError: Unknown tarball format: '-h'
❯ p sbom.py /tmp/downloads/Python-3.13.0a2.tgz
Traceback (most recent call last):
File "/Users/hugo/github/release-tools/sbom.py", line 277, in <module>
create_sbom_for_source_tarball(tarball_path), indent=2, sort_keys=True
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/hugo/github/release-tools/sbom.py", line 117, in create_sbom_for_source_tarball
sbom_bytes = tarball.extractfile(tarball.getmember("Misc/sbom.spdx.json")).read()
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Library/Frameworks/Python.framework/Versions/3.12/lib/python3.12/tarfile.py", line 1984, in getmember
raise KeyError("filename %r not found" % name)
KeyError: "filename 'Misc/sbom.spdx.json' not found"I got a similar |
|
@hugovk Sorry for sending you on a wild goose chase! I actually had to modify the 3.13.0a2 release tarball by adding the |
* Adds dependency relationships between top-level CPython package and vendored packages. * Removes directory prefix in file names to make diffs more consistent across different releases. * Gets release-tool commit SHA for tool version
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>
|
Thanks for the reviews! I've applied the suggestions :) |
| # Remove the 'Python-{version}/...' prefix for the SPDXID and fileName. | ||
| member_name_no_prefix = member.name.split('/', 1)[1] | ||
|
|
||
| # We've already seen this file, so we check it hasn't been modified and continue on. |
There was a problem hiding this comment.
Tar files can contain the same file multiple times, there isn't a situation where this can lead to false positives here, is there? (I'm thinking in terms of the listed sha256 being the same but other information being different in the tarball-contained SBOM.) I guess we're trusting both the tarball and the contained SBOM anyway, so no.
Part of python/cpython#112302
So this is a decent amount of code to review, but it does indeed check all the boxes that I want SBOMs for source tarball artifacts to check. This likely won't be the final state of this module, I think the end-goal is to stitch it in to the release process in various points.
You can see the generated SBOM in this Gist: https://gist.github.com/sethmlarson/103891c6cac4d41b11daab89e6c84868
Here are the criteria the generated SBOM meets: