Project for generating a Software Bill-of-Materials (SBOM) for CPython release artifacts like source tarballs and binary installers.

SBOMs that have been generated by this script are available in the sboms/ directory.

NOTE SBOM generation infrastructure has been created and merged into CPython. You can now view and download SBOM files for CPython release artifacts. This repository is no longer required now that development has concluded.

• Determine the minimum elements of an SBOM from recommendations by downstream consumers:

  • NTIA Minimum Elements of an SBOM
    • Supplier Name
    • Component Name
    • Version of Component
    • Other Unique Identifiers
    • Dependency Relationship
    • Author of SBOM Data
    • Timestamp
  • SPDX Minimum Elements (How NTIA Minimum Elements maps to SPDX 2.3)
    • PackageSupplier
    • PackageName
    • PackageVersion
    • DocumentNamespace, SPDXID
    • Relationship (CONTAINS)
    • Creator (of the SBOM)
    • Created
  • Other mandatory SPDX 2.3 fields
    • SPDXVersion
    • DataLicense
    • SPDXID (for Document)
    • DocumentName
    • PackageDownloadLocation
    • FilesAnalyzed
    • Relationship (SPDXRef-DOCUMENT DESCRIBES primary package)

• Determine the recommended elements of an SBOM:

  • NTIA Minimum Elements of an SBOM
    • Hash of component
    • Lifecycle Phase
    • Other Component Relationships
    • License information

• Find projects/files of interest that are bundled along with CPython source tarball:

  • curl https://www.python.org/ftp/python/3.11.5/Python-3.11.5.tgz -o Python-3.11.5.tgz
  • tar -xzvf Python-3.11.5.tgz
  • find . -regex '.*/\(README\|LICEN\[SC\]\|COPYING\|NOTICE\).*' >> files-of-interest.txt
  • grep 'license' -ilR . >> files-of-interest.txt
  • sort files-of-interest.txt | uniq -u

• Categorize all the files of interest based on whether there is a component that's sourced differently than CPython. Take note of all of these occurrences. These are captured programmatically in build-sbom.py.

CC0-1.0