astral-sh / uv

An extremely fast Python package and project manager, written in Rust.
https://docs.astral.sh/uv
Apache License 2.0
25.22k stars 732 forks source link

FR: Software Bill of Materials (SBOM) output #6012

Open chrisrodrigue opened 2 months ago

chrisrodrigue commented 2 months ago

uv is in a prime position to be able to emit an SBOM that reflects the state of the current uv-managed virtual environment, or ingest an SBOM to produce a managed virtual environment.

SBOM requirements supersede any existing PEP. Executive Order 14028 demands SBOM documentation from all vendors to the US government by September 2023. It is reasonable to assume that uv may indirectly fall under this executive order if there are downstream users of uv that provide software to the US government.

It would be awesome if uv could emit an SBOM in one of the industry standard formats. CycloneDX is one such SBOM standard. I think uv may already have all the metadata necessary to output one.

SBOM support would greatly improve the security posture of uv and uv-managed projects.

kdeldycke commented 2 months ago

As hinted previously, you can use my Meta Package Manager CLI in the mean time to export the SBOM of a uv environment:

$ mpm --uv sbom --spdx                   
info: User selection of managers by priority: > uv
info: Managers dropped by user: None
info: Print SPDX export to <stdout>
info: Export packages from uv...
{
    "SPDXID": "SPDXRef-DOCUMENT",
    "creationInfo": {
        "created": "2024-08-02T23:29:10Z",
        "creators": [
            "Tool: meta-package-manager-5.18.1"
        ]
    },
    "dataLicense": "CC0-1.0",
    "name": "macOS-Darwin-23.6.0-arm64",
    "spdxVersion": "SPDX-2.3",
    "documentNamespace": "https://github.com/kdeldycke/meta-package-manager/releases/tag/v5.18.1/fdcf50b29504cc4c0df620af2283ed3",
    "packages": [
        {
            "SPDXID": "SPDXRef-pkg-uv-alabaster-0.7.16",
            "downloadLocation": "https://www.example.com",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE_MANAGER",
                    "referenceLocator": "pkg:uv/alabaster@0.7.16",
                    "referenceType": "purl"
                }
            ],
            "filesAnalyzed": false,
            "name": "alabaster",
            "primaryPackagePurpose": "INSTALL",
            "supplier": "Organization: UV",
            "versionInfo": "0.7.16"
        },
        {
            "SPDXID": "SPDXRef-pkg-uv-arrow-1.3.0",
            "downloadLocation": "https://www.example.com",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE_MANAGER",
                    "referenceLocator": "pkg:uv/arrow@1.3.0",
                    "referenceType": "purl"
                }
            ],
            "filesAnalyzed": false,
            "name": "arrow",
            "primaryPackagePurpose": "INSTALL",
            "supplier": "Organization: UV",
            "versionInfo": "1.3.0"
        },
...
chrisrodrigue commented 4 days ago

Taking a CycloneDX BOM as input could also be an awesome way to set up a venv.

Any python components in the BOM would have a PyPI purl, which uv could read and sync with pyproject.toml and the managed venv.

See related issue here regarding purl support: https://github.com/astral-sh/uv/issues/8265