Software program bill-of-materials (SBOM) paperwork could be utilized in Python packages as a method to enhance their “measurability” and to handle the issue of “phantom dependencies” in Python packages, below a Python Enhancement Proposal (PEP) now being floated at python.org.
In explaining the motivation behind the proposal, created January 2, the authors state that Python packages are notably affected by a phantom dependency drawback, which means they usually embody software program parts not written in Python for causes akin to compatibility with requirements, ease of set up, or use circumstances akin to machine studying that use compiled libraries from C, C++, Rust, Fortran, and different languages. The proposal notes that the Python wheel format is most well-liked by customers resulting from its ease of set up, however this format requires bundling shared compiled libraries with out a technique to encode metadata about them. Moreover, packages associated to Python packaging generally want to resolve the bootstrapping drawback, so embody pure Python initiatives inside supply code, however these software program parts additionally can’t be described utilizing Python bundle metadata and thus are more likely to be missed by SCA instruments, which may imply weak software program parts should not reported precisely. Inclusion of an SBOM doc annotating all included libraries would allow SCA instruments to reliably determine the included software program.
As a result of SBOM is a technology-and-ecosystem-agnostic technique for describing software program composition, provenance, heritage, and extra, and since SBOMs are used as inputs for software program composition evaluation (SCA) instruments, akin to scanners for vulnerabilities and licenses, SBOMs may very well be used to enhance the measurability of Python packages, the proposal states. Additional, SBOMs are required by latest safety rules, such because the Secure Software Development Framework (SSDF). As a consequence of these rules, demand for SBOM paperwork of open supply initiatives is predicted to stay excessive, the proposal states. Thus the PEP proposes utilizing SBOM paperwork in Python packages. The proposal delegates SBOM-specific metadata to SBOM paperwork included in Python packages and provides a core metadata discipline for discoverability of included SBOM paperwork.