Software program bill-of-materials (SBOM) paperwork can be utilized in Python packages as a way to enhance their “measurability” and to deal with the issue of “phantom dependencies” in Python packages, underneath a Python Enhancement Proposal (PEP) now being floated at python.org.
In explaining the motivation behind the proposal, created January 2, the authors state that Python packages are significantly affected by a phantom dependency drawback, which means they usually embody software program parts not written in Python for causes equivalent to compatibility with requirements, ease of set up, or use circumstances equivalent to machine studying that use compiled libraries from C, C++, Rust, Fortran, and different languages. The proposal notes that the Python wheel format is most well-liked by customers resulting from its ease of set up, however this format requires bundling shared compiled libraries and not using a technique to encode metadata about them. Moreover, packages associated to Python packaging generally want to unravel the bootstrapping drawback, so embody pure Python initiatives inside supply code, however these software program parts additionally can’t be described utilizing Python package deal metadata and thus are prone to be missed by SCA instruments, which might imply weak software program parts aren’t reported precisely. Inclusion of an SBOM doc annotating all included libraries would allow SCA instruments to reliably determine the included software program.
As a result of SBOM is a technology-and-ecosystem-agnostic technique for describing software program composition, provenance, heritage, and extra, and since SBOMs are used as inputs for software program composition evaluation (SCA) instruments, equivalent to scanners for vulnerabilities and licenses, SBOMs may very well be used to enhance the measurability of Python packages, the proposal states. Additional, SBOMs are required by latest safety rules, such because the Safe Software program Growth Framework (SSDF). As a consequence of these rules, demand for SBOM paperwork of open supply initiatives is anticipated to stay excessive, the proposal states. Thus the PEP proposes utilizing SBOM paperwork in Python packages. The proposal delegates SBOM-specific metadata to SBOM paperwork included in Python packages and provides a core metadata subject for discoverability of included SBOM paperwork.
