Tree shaking for the minimal viable SBOM.
Project description
sbom
Tree shaking for the minimal viable software bill of materials (SBOM).
TODO: Third party dependencies are documented in the folder third-party.
Status
Experimental.
Terminology
- baseline - mandatory elements
- consume - an SBOM
- crypto - hashing, signing, and signature validation
- extension - sets of elements mandatory in addition to baseline
- fuzz - generate surrogate and poisoned SBOMs
- merge - an SBOM with other SBOMs or additional information
- mock - provide optimal testability
- policy - to apply
- produce - an SBOM
- report - anything from produce, transform, and consume
- rule - executing policies
- transform - one SBOM into another SBOM
Safety, Security, and Data Protection Considerations
The current implementation SHALL only digest trustworthy data.
Schema validation of JSON and XML formats requires specific measures to
minimize vulnerabilities.
For example: The python xml parser implementation (etree) in
use is presumably vulnerable against some attacks like billion laughs
and quadratic blowup.
Plans are to move towards a safer implementation like defusedxml
or any other hardened implementation.
The situation is similar for the JSON formats.
In summary and repeating the obvious:
The current implementation SHALL only digest trustworthy data.
Note: The default branch is default
.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for sbom-2022.7.17-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | a69455eac330dc55809655845279c1789713289e71d8ab1cc9948490a6dc669e |
|
MD5 | 34d580f168cc285efc44b336f562f463 |
|
BLAKE2b-256 | a6f707876187c6bf3be4cefe71b4a49c198bbe4897e4b5d1373cdda08f66a9e1 |