Software program bill-of-materials (SBOM) paperwork can be utilized in Python packages as a way to enhance their “measurability” and to deal with the issue of “phantom dependencies” in Python packages, below a Python Enhancement Proposal (PEP) now being floated at python.org.
In explaining the motivation behind the proposal, created January 2, the authors state that Python packages are significantly affected by a phantom dependency drawback, that means they usually embody software program parts not written in Python for causes akin to compatibility with requirements, ease of set up, or use instances akin to machine studying that use compiled libraries from C, C++, Rust, Fortran, and different languages. The proposal notes that the Python wheel format is most well-liked by customers on account of its ease of set up, however this format requires bundling shared compiled libraries with out a methodology to encode metadata about them. Moreover, packages associated to Python packaging typically want to unravel the bootstrapping drawback, so embody pure Python tasks inside supply code, however these software program parts additionally can’t be described utilizing Python package deal metadata and thus are more likely to be missed by SCA instruments, which might imply susceptible software program parts aren’t reported precisely. Inclusion of an SBOM doc annotating all included libraries would allow SCA instruments to reliably determine the included software program.
As a result of SBOM is a technology-and-ecosystem-agnostic methodology for describing software program composition, provenance, heritage, and extra, and since SBOMs are used as inputs for software program composition evaluation (SCA) instruments, akin to scanners for vulnerabilities and licenses, SBOMs may very well be used to enhance the measurability of Python packages, the proposal states. Additional, SBOMs are required by latest safety laws, such because the Safe Software program Growth Framework (SSDF). As a consequence of these laws, demand for SBOM paperwork of open supply tasks is predicted to stay excessive, the proposal states. Thus the PEP proposes utilizing SBOM paperwork in Python packages. The proposal delegates SBOM-specific metadata to SBOM paperwork included in Python packages and provides a core metadata discipline for discoverability of included SBOM paperwork.
