Closed sethmlarson closed 7 months ago
How should this be run?
❯ p sbom.py
Traceback (most recent call last):
File "/Users/hugo/github/release-tools/sbom.py", line 274, in <module>
tarball_path = sys.argv[1]
~~~~~~~~^^^
IndexError: list index out of range
❯ p sbom.py -h
Traceback (most recent call last):
File "/Users/hugo/github/release-tools/sbom.py", line 277, in <module>
create_sbom_for_source_tarball(tarball_path), indent=2, sort_keys=True
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/hugo/github/release-tools/sbom.py", line 103, in create_sbom_for_source_tarball
raise ValueError(f"Unknown tarball format: '{tarball_name}'")
ValueError: Unknown tarball format: '-h'
❯ p sbom.py /tmp/downloads/Python-3.13.0a2.tgz
Traceback (most recent call last):
File "/Users/hugo/github/release-tools/sbom.py", line 277, in <module>
create_sbom_for_source_tarball(tarball_path), indent=2, sort_keys=True
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/hugo/github/release-tools/sbom.py", line 117, in create_sbom_for_source_tarball
sbom_bytes = tarball.extractfile(tarball.getmember("Misc/sbom.spdx.json")).read()
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Library/Frameworks/Python.framework/Versions/3.12/lib/python3.12/tarfile.py", line 1984, in getmember
raise KeyError("filename %r not found" % name)
KeyError: "filename 'Misc/sbom.spdx.json' not found"
I got a similar KeyError
running from the CPython repo.
@hugovk Sorry for sending you on a wild goose chase! I actually had to modify the 3.13.0a2 release tarball by adding the Misc/sbom.spdx.json
file into the archive in order to test the tool. 3.13.0a3 will be the first actual CPython release that has the source tree dependencies SBOM. I'll note that in the top issue to not confuse other folks.
Okay, this is ready for review. Depends on https://github.com/python/release-tools/pull/84 being merged first. cc @hugovk Note that the only tarball with an SBOM available is 3.13.0a3
You can test the SBOM generation with $ python sbom.py Python-3.13.0a3.tgz
Thanks for the reviews! I've applied the suggestions :)
Part of https://github.com/python/cpython/issues/112302
So this is a decent amount of code to review, but it does indeed check all the boxes that I want SBOMs for source tarball artifacts to check. This likely won't be the final state of this module, I think the end-goal is to stitch it in to the release process in various points.
You can see the generated SBOM in this Gist: https://gist.github.com/sethmlarson/103891c6cac4d41b11daab89e6c84868
Here are the criteria the generated SBOM meets: