Provide ability to emit SPDX SBOM formats

[lumjjb]

Is your feature request related to a problem? Please describe.

I would like to be able to generate SPDX SBOM format ('spdx-json' and 'spdx-xml') documents for an application so that I can integrate with other SPDX tooling.

Describe the solution you'd like

I would like there to be an option to emit SPDX format SBOMs and/or CycloneDX SBOMs (CycloneDX already implemented based on discussion in #3).

Describe alternatives you've considered

Alternative solutions would be taking the output of cycloneDX formats and converting it to SPDX format. However, this relies on external tooling which may not have proper conformance testing or maintenance going forward. In addition, the different specifications are working towards new directions (i.e. SPDX with build profiles), and relying on native libraries would be preferred.

[woodruffw]

Thanks for the request, @lumjjb!

When we started designing pip-audit, we selected CycloneDX over SPDX solely because of better Python bindings/library support. That was close to a year ago at this point and so things may have changed, but selecting a reasonable dependency for emitting SPDX SBOMs will be the first step here 🙂

[lumjjb]

Awesome! Sounds good :D.

@swinslow would you be able to recommend some python libraries to look at?

[woodruffw]

I did a little bit more searching, and couldn't find a good Python library for SPDX SBOM generation (but I might have completely missed it!)

Still open to suggestions here. Otherwise, when we prioritize this, we may have to hand-roll the format.

[lumjjb]

Let me ask around and do some searching too! I'll get back to you!

[lumjjb]

quick question - did you manage to take a look at https://github.com/spdx/tools-python/, what are some interfaces/structures that you think are needed to make it more useful to consume the library?

(Asking this also because I'm working on the golang library :))

[woodruffw]

I think I saw that repository, but might have mentally categorized it as a CLI tool rather than a Python API. But it looks like it does have a Python API, so I'll take another look, thanks!

[woodruffw]

what are some interfaces/structures that you think are needed to make it more useful to consume the library?

I might be able to answer this on my own, but in case you know it immediately: where are the right models for generating a "vulnerability profile" for each dependency listed in the SBOM? I see it was standardized here: spdx/spdx-spec#510, and I think that's what we'll need in the context of pip-audit.

[lumjjb]

Ah yea - if i'm not wrong, I think that effort was renamed to "Defects Profile", and it was for use case of reporting vulnerabilities as part of the SPDX document! spdx/spdx-spec#733

I love your suggestion of using the profiles as ways to organize and define the interfaces! As more of the SPDX profiles get defined, this will be a great way to build up the libraries. Thank you!

[woodruffw]

Circling back here: we have this scoped in another round of work, so we should be adding support relatively soon!

We still don't have a good dependency pinned down for generating these SBOMs, however.

[lumjjb]

Thanks for checking back! I believe that there's on-going OpenSSF funding request for the python library: ossf/sbom-everywhere#6

Is this something that you are participating / interested in?

[woodruffw]

I think so! We have a decent amount of prior experience with SBOM generation, including contributing to other SBOM libraries for Python.

What's the best way to proceed here? Is there an specific OSSF point-of-contact that Trail of Bits should email?

[anthonyharrison]

Have a look at SBOM4PYTHON which might do what you need. It generates both SPDX and CyloneDX SBOMs for an installed Python module and all its assoicated dependencies.

[lumjjb]

@woodruffw sorry i missed this, I think this is the issue for the python lib funding ossf/sbom-everywhere#6 that @joshbressers has been shepherding

[woodruffw]

No problem! Thanks for the update.

And thanks for the link @anthonyharrison!

[joshbressers]

I think so! We have a decent amount of prior experience with SBOM generation, including contributing to other SBOM libraries for Python.

What's the best way to proceed here? Is there an specific OSSF point-of-contact that Trail of Bits should email?

@woodruffw I've pointed Kate Stewart at this issue, she should be able to hook you up with the folks working on that SBOM library. Feel free to also follow along on the issue @lumjjb added

[kestewart]

@woodruffw - I've pointed the developers at this thread, so hopefully they'll chime in directly. There's a weekly call on Thursdays at 8:30 Pacific where we discuss next steps, etc. You're welcome to join in. Email me directly and I'll point you at details if you want to participate.

Similarly, there's spdx/tools-python#244 where the refactoring/cleanup of the python libraries is being discussed.

[woodruffw]

Thanks a ton @kestewart! I'm happy to join the weekly call; I'll be in contact over email.