Software program bill-of-materials (SBOM) paperwork can be utilized in Python packages as a method to enhance their “measurability” and to deal with the issue of “phantom dependencies” in Python packages, beneath a Python Enhancement Proposal (PEP) now being floated at python.org.
In explaining the motivation behind the proposal, created January 2, the authors state that Python packages are significantly affected by a phantom dependency drawback, which means they usually embrace software program parts not written in Python for causes equivalent to compatibility with requirements, ease of set up, or use circumstances equivalent to machine studying that use compiled libraries from C, C++, Rust, Fortran, and different languages. The proposal notes that the Python wheel format is most popular by customers attributable to its ease of set up, however this format requires bundling shared compiled libraries with out a technique to encode metadata about them. Moreover, packages associated to Python packaging generally want to unravel the bootstrapping drawback, so embrace pure Python tasks inside supply code, however these software program parts additionally can’t be described utilizing Python bundle metadata and thus are prone to be missed by SCA instruments, which might imply weak software program parts aren’t reported precisely. Inclusion of an SBOM doc annotating all included libraries would allow SCA instruments to reliably establish the included software program.
As a result of SBOM is a technology-and-ecosystem-agnostic technique for describing software program composition, provenance, heritage, and extra, and since SBOMs are used as inputs for software program composition evaluation (SCA) instruments, equivalent to scanners for vulnerabilities and licenses, SBOMs may very well be used to enhance the measurability of Python packages, the proposal states. Additional, SBOMs are required by latest safety laws, such because the Safe Software program Improvement Framework (SSDF). As a consequence of these laws, demand for SBOM paperwork of open supply tasks is predicted to stay excessive, the proposal states. Thus the PEP proposes utilizing SBOM paperwork in Python packages. The proposal delegates SBOM-specific metadata to SBOM paperwork included in Python packages and provides a core metadata area for discoverability of included SBOM paperwork.
