Software program bill-of-materials (SBOM) paperwork could be utilized in Python packages as a method to enhance their “measurability” and to deal with the issue of “phantom dependencies” in Python packages, below a Python Enhancement Proposal (PEP) now being floated at python.org.
In explaining the motivation behind the proposal, created January 2, the authors state that Python packages are significantly affected by a phantom dependency downside, that means they usually embody software program parts not written in Python for causes similar to compatibility with requirements, ease of set up, or use instances similar to machine studying that use compiled libraries from C, C++, Rust, Fortran, and different languages. The proposal notes that the Python wheel format is most well-liked by customers on account of its ease of set up, however this format requires bundling shared compiled libraries and not using a methodology to encode metadata about them. Moreover, packages associated to Python packaging typically want to unravel the bootstrapping downside, so embody pure Python tasks inside supply code, however these software program parts additionally can’t be described utilizing Python bundle metadata and thus are more likely to be missed by SCA instruments, which may imply weak software program parts are usually not reported precisely. Inclusion of an SBOM doc annotating all included libraries would allow SCA instruments to reliably establish the included software program.
As a result of SBOM is a technology-and-ecosystem-agnostic methodology for describing software program composition, provenance, heritage, and extra, and since SBOMs are used as inputs for software program composition evaluation (SCA) instruments, similar to scanners for vulnerabilities and licenses, SBOMs may very well be used to enhance the measurability of Python packages, the proposal states. Additional, SBOMs are required by latest safety rules, such because the Safe Software program Growth Framework (SSDF). As a result of these rules, demand for SBOM paperwork of open supply tasks is anticipated to stay excessive, the proposal states. Thus the PEP proposes utilizing SBOM paperwork in Python packages. The proposal delegates SBOM-specific metadata to SBOM paperwork included in Python packages and provides a core metadata subject for discoverability of included SBOM paperwork.