cyclonedx / cyclonedx-python-lib Goto Github PK
View Code? Open in Web Editor NEWPython implementation of OWASP CycloneDX
Home Page: https://cyclonedx.org/
License: Apache License 2.0
Python implementation of OWASP CycloneDX
Home Page: https://cyclonedx.org/
License: Apache License 2.0
Raised in #51, an example of a valid Conda package URL (https://conda.anaconda.org/conda-forge/linux-64/_libgcc_mutex-0.1-conda_forge.tar.bz2#d7c89558ba9fa0495403155b64376d81
) has been provided which breaks our parsing logic.
Specification for Conda packages is here, but this doesn't seem to be deterministic in all cases unfortunately.
As identified in #67, this library does not yet support external references at the BOM level.
This feature will add support for External References at the root BOM.
Example from cyclonedx-python
:
py3.7 run-test: commands[2] | poetry run coverage run --source=cyclonedx_py -m unittest discover -s tests
Traceback (most recent call last):
File "C:\hostedtoolcache\windows\Python\3.7.9\x64\lib\runpy.py", line 193, in _run_module_as_main
"__main__", mod_spec)
File "C:\hostedtoolcache\windows\Python\3.7.9\x64\lib\runpy.py", line 85, in _run_code
exec(code, run_globals)
File "D:\a\cyclonedx-python\cyclonedx-python\.tox\py3.7\Scripts\cyclonedx-py.exe\__main__.py", line 7, in <module>
File "D:\a\cyclonedx-python\cyclonedx-python\.tox\py3.7\lib\site-packages\cyclonedx_py\client.py", line 211, in main
CycloneDxCmd(args).execute()
File "D:\a\cyclonedx-python\cyclonedx-python\.tox\py3.7\lib\site-packages\cyclonedx_py\client.py", line 97, in execute
output.output_to_file(filename=output_filename, allow_overwrite=self._arguments.output_file_overwrite)
File "D:\a\cyclonedx-python\cyclonedx-python\.tox\py3.7\lib\site-packages\cyclonedx\output\__init__.py", line 73, in output_to_file
f_out.write(self.output_as_string())
File "C:\hostedtoolcache\windows\Python\3.7.9\x64\lib\encodings\cp1252.py", line 19, in encode
return codecs.charmap_encode(input,self.errors,encoding_table)[0]
UnicodeEncodeError: 'charmap' codec can't encode character '\u0141' in position 1805: character maps to <undefined>
some runtime-dependencies are actually dev-dependencies:
acc / cit
as they might be needed by others in upstream, we still might add them es an extra called "typing"
The Component
class' __hash__
implementation attempts to hash an unhashable list of Property
objects if present. This prevents Component
objects from being compared, which in turn prevents one from adding Component
objects to Bom
objects via Bom
's add_component
method.
Example:
from cyclonedx.model.component import Component
from cyclonedx.model import Property
component1 = Component("component 1", properties=[Property("prop 1", "value 1")])
component2 = Component("component 2")
component1 == component2
Results in
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/lib/python3.8/site-packages/cyclonedx/model/component.py", line 508, in __eq__
return hash(other) == hash(self)
File "/lib/python3.8/site-packages/cyclonedx/model/component.py", line 512, in __hash__
return hash((
TypeError: unhashable type: 'list'
Library version: 1.3.0
OS: CentOS 8
See https://github.com/CycloneDX/cyclonedx-python-lib/runs/4595932920?check_suite_focus=true.
This appears to be the case since #93 was merged.
FYI: @jkowalleck
Hi there!
I'm trying to emit a CycloneDX SBOM in pypa/pip-audit#109, including vulnerability information via the Vulnerability
model. Everything works swimmingly when I serialize to XML:
<?xml version="1.0" encoding="UTF-8"?>
<bom serialNumber="urn:uuid:5f03d520-4ca9-4025-8781-b0711cc98cda" version="1" xmlns="http://cyclonedx.org/schema/bom/1.3" xmlns:v="http://cyclonedx.org/schema/ext/vulnerability/1.0">
<metadata>
<timestamp>2021-11-09T18:46:43.718858+00:00</timestamp>
<tools>
<tool>
<vendor>CycloneDX</vendor>
<name>cyclonedx-python-lib</name>
<version>0.10.0</version>
</tool>
</tools>
</metadata>
<components>
<component bom-ref="pkg:pypi/[email protected]" type="library">
<name>docker-py</name>
<version>1.2.3</version>
<purl>pkg:pypi/[email protected]</purl>
</component>
<component bom-ref="pkg:pypi/[email protected]" type="library">
<name>certifi</name>
<version>2021.10.8</version>
<purl>pkg:pypi/[email protected]</purl>
</component>
<component bom-ref="pkg:pypi/[email protected]" type="library">
<name>charset-normalizer</name>
<version>2.0.7</version>
<purl>pkg:pypi/[email protected]</purl>
</component>
<component bom-ref="pkg:pypi/[email protected]" type="library">
<name>idna</name>
<version>3.3</version>
<purl>pkg:pypi/[email protected]</purl>
</component>
<component bom-ref="pkg:pypi/[email protected]" type="library">
<name>pip</name>
<version>21.3.1</version>
<purl>pkg:pypi/[email protected]</purl>
</component>
<component bom-ref="pkg:pypi/[email protected]" type="library">
<name>requests</name>
<version>2.26.0</version>
<purl>pkg:pypi/[email protected]</purl>
</component>
<component bom-ref="pkg:pypi/[email protected]" type="library">
<name>setuptools</name>
<version>40.6.2</version>
<purl>pkg:pypi/[email protected]</purl>
</component>
<component bom-ref="pkg:pypi/[email protected]" type="library">
<name>six</name>
<version>1.16.0</version>
<purl>pkg:pypi/[email protected]</purl>
</component>
<component bom-ref="pkg:pypi/[email protected]" type="library">
<name>urllib3</name>
<version>1.26.7</version>
<purl>pkg:pypi/[email protected]</purl>
</component>
<component bom-ref="pkg:pypi/[email protected]" type="library">
<name>pyyaml</name>
<version>5.3</version>
<purl>pkg:pypi/[email protected]</purl>
<v:vulnerabilities>
<v:vulnerability ref="pkg:pypi/[email protected]">
<v:id>PYSEC-2020-96</v:id>
<v:description>A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.</v:description>
<v:recommendations>
<v:recommendation>Upgrade</v:recommendation>
</v:recommendations>
<v:advisories>
<v:advisory>Upgrade: 5.3.1</v:advisory>
</v:advisories>
</v:vulnerability>
<v:vulnerability ref="pkg:pypi/[email protected]">
<v:id>PYSEC-2021-142</v:id>
<v:description>A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.</v:description>
<v:recommendations>
<v:recommendation>Upgrade</v:recommendation>
</v:recommendations>
<v:advisories>
<v:advisory>Upgrade: 5.4</v:advisory>
</v:advisories>
</v:vulnerability>
</v:vulnerabilities>
</component>
</components>
</bom>
...but when I serialize to JSON, I don't see the Vulnerability
models:
{
"bomFormat": "CycloneDX",
"specVersion": "1.3",
"serialNumber": "urn:uuid:f944e708-ff5f-4ce1-bd4f-c8c4ab73fee1",
"version": 1,
"components": [
{
"type": "library",
"name": "docker-py",
"version": "1.2.3",
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"name": "certifi",
"version": "2021.10.8",
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"name": "charset-normalizer",
"version": "2.0.7",
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"name": "idna",
"version": "3.3",
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"name": "pip",
"version": "21.3.1",
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"name": "requests",
"version": "2.26.0",
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"name": "setuptools",
"version": "40.6.2",
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"name": "six",
"version": "1.16.0",
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"name": "urllib3",
"version": "1.26.7",
"purl": "pkg:pypi/[email protected]"
},
{
"type": "library",
"name": "pyyaml",
"version": "5.3",
"purl": "pkg:pypi/[email protected]"
}
],
"metadata": {
"timestamp": "2021-11-09T18:54:54.216112+00:00",
"tools": [
{
"vendor": "CycloneDX",
"name": "cyclonedx-python-lib",
"version": "0.10.0"
}
]
}
}
Is this intentional? I would have expected it to be present in both formats, and the examples on cyclonedx.org seem to imply that the JSON format should also include vulnerability information.
as a <> i want build artifacts added to a release, so PyPI is not my single point of source.
use https://github.com/actions/upload-release-asset
to add the wheel(build/*.whl
) and source (build/*.tar.gz
) artifacts to the release
how to do it: see an example here: https://github.com/k4cg/nichtparasoup/blob/3.0-dev/.github/workflows/release.yaml
build artifacts to store
We currently don't support pipenv
's Pipfile.lock
. This feature should add support for this.
Thanks for this!
I know poetry makes it easy lock every little thing down, and it makes testing easier, higher assurance, yadda yadda, but practically, it's quite inflexible when the effective ranges are very small... and on a self-declared lib
to boot.
Specifically, hooray for declaring a setuptools
dependency: so many pkgutils
-using packages forget to.
However the size of the range covered by setuptools ^50.3.2
makes it relatively hard to appease (as in: exactly 1 version).
Selfishly, this is blocking me downstream in packaging this and ultimately jake 1.x
for conda-forge
.
The same goes for importlib_metadata
which unfortunately gets pinned in a number of packages, and seems to change a lot for a backport package.
Anyhow: would the maintainers be open to a PR that:
setuptools
to be something more like >=50.3.2,<59
In the meantime, I may try patching the pin over on conda-forge and running the full test suite...
When trying to create a SBOM I get below failure
Pipfile.lock has dependencies under default
that do not have the index
property
cyclonedx-py --pip --pip-file Pipfile.lock -o bom/bom.xml
Traceback (most recent call last):
File "/usr/local/bin/cyclonedx-py", line 8, in <module>
sys.exit(main())
File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 232, in main
CycloneDxCmd(args).execute()
File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 87, in execute
output = self.get_output()
File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 51, in get_output
parser = self._get_input_parser()
File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 200, in _get_input_parser
return PipEnvFileParser(pipenv_lock_filename=pipfile_lock_file)
File "/usr/local/lib/python3.9/site-packages/cyclonedx/parser/pipenv.py", line 56, in __init__
super(PipEnvFileParser, self).__init__(pipenv_contents=r.read())
File "/usr/local/lib/python3.9/site-packages/cyclonedx/parser/pipenv.py", line 38, in __init__
if package_data['index'] == 'pypi':
KeyError: 'index'
Snippet from my Pipfile.lock, FastAPi is only dependency found in my Pipfile and is only one with index
{
"_meta": {
"hash": {
"sha256": "1aa5cc0cbb58a7e87ec73a2cb334c49b65b31a165451fef0****"
},
"pipfile-spec": 6,
"requires": {
"python_version": "3.9"
},
"sources": [
{
"name": "pypi",
"url": "https://artifactory.jfrog.*****.com/artifactory/api/pypi/pypi/simple",
"verify_ssl": true
}
]
},
"default": {
"anyio": {
"hashes": [
"sha256:56ceaeed2877723578b1341f4f68c29081db189cfb40a97d1922b9513f6d7db6",
"sha256:8eccec339cb4a856c94a75d50fc1d451faf32a05ef406be462e2efc59c9838b0"
],
"markers": "python_full_version >= '3.6.2'",
"version": "==3.3.3"
},
"asgiref": {
"hashes": [
"sha256:4ef1ab46b484e3c706329cedeff284a5d40824200638503f5768edb6de7d58e9",
"sha256:ffc141aa908e6f175673e7b1b3b7af4fdb0ecb738fc5c8b88f69f055c2415214"
],
"markers": "python_full_version >= '3.6.0'",
"version": "==3.4.1"
},
"certifi": {
"hashes": [
"sha256:78884e7c1d4b00ce3cea67b44566851c4343c120abd683433ce934a68ea58872",
"sha256:d62a0163eb4c2344ac042ab2bdf75399a71a2d8c7d47eac2e2ee91b9d6339569"
],
"version": "==2021.10.8"
},
"charset-normalizer": {
"hashes": [
"sha256:e019de665e2bcf9c2b64e2e5aa025fa991da8720daa3c1138cadd2fd1856aed0",
"sha256:f7af805c321bfa1ce6714c51f254e0d5bb5e5834039bc17db7ebe3a4cec9492b"
],
"markers": "python_version >= '3'",
"version": "==2.0.7"
},
"click": {
"hashes": [
"sha256:353f466495adaeb40b6b5f592f9f91cb22372351c84caeb068132442a4518ef3",
"sha256:410e932b050f5eed773c4cda94de75971c89cdb3155a72a0831139a79e5ecb5b"
],
"markers": "python_full_version >= '3.6.0'",
"version": "==8.0.3"
},
"fastapi": {
"hashes": [
"sha256:66da43cfe5185ea1df99552acffd201f1832c6b364e0f4136c0a99f933466ced",
"sha256:a36d5f2fad931aa3575c07a3472c784e81f3e664e3bb5c8b9c88d0ec1104f59c"
],
"index": "pypi",
"version": "==0.70.0"
},
...
I also get error if I try to create a requirements.txt from Pipfile and scan that
pipenv lock -r > requirements.txt
cyclonedx-py -r -rf requirements.txt -o bom/bom.xml
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/packaging/requirements.py", line 98, in __init__
req = REQUIREMENT.parseString(requirement_string)
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 1654, in parseString
raise exc
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 1644, in parseString
loc, tokens = self._parse( instring, 0 )
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 1402, in _parseNoCache
loc,tokens = self.parseImpl( instring, preloc, doActions )
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 3417, in parseImpl
loc, exprtokens = e._parse( instring, loc, doActions )
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 1402, in _parseNoCache
loc,tokens = self.parseImpl( instring, preloc, doActions )
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 3739, in parseImpl
return self.expr._parse( instring, loc, doActions, callPreParse=False )
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 1402, in _parseNoCache
loc,tokens = self.parseImpl( instring, preloc, doActions )
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 3400, in parseImpl
loc, resultlist = self.exprs[0]._parse( instring, loc, doActions, callPreParse=False )
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 1406, in _parseNoCache
loc,tokens = self.parseImpl( instring, preloc, doActions )
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/pyparsing.py", line 2711, in parseImpl
raise ParseException(instring, loc, self.errmsg, self)
pkg_resources._vendor.pyparsing.ParseException: Expected W:(abcd...) (at char 0), (line:1, col:1)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/bin/cyclonedx-py", line 8, in <module>
sys.exit(main())
File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 232, in main
CycloneDxCmd(args).execute()
File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 87, in execute
output = self.get_output()
File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 51, in get_output
parser = self._get_input_parser()
File "/usr/local/lib/python3.9/site-packages/cyclonedx_py/client.py", line 216, in _get_input_parser
return RequirementsFileParser(requirements_file=requirements_file)
File "/usr/local/lib/python3.9/site-packages/cyclonedx/parser/requirements.py", line 60, in __init__
super(RequirementsFileParser, self).__init__(requirements_content=r.read())
File "/usr/local/lib/python3.9/site-packages/cyclonedx/parser/requirements.py", line 32, in __init__
for requirement in requirements:
File "/usr/local/lib/python3.9/site-packages/pkg_resources/__init__.py", line 3080, in parse_requirements
yield Requirement(line)
File "/usr/local/lib/python3.9/site-packages/pkg_resources/__init__.py", line 3090, in __init__
super(Requirement, self).__init__(requirement_string)
File "/usr/local/lib/python3.9/site-packages/pkg_resources/_vendor/packaging/requirements.py", line 100, in __init__
raise InvalidRequirement(
pkg_resources.extern.packaging.requirements.InvalidRequirement: Parse error at "'-i https'": Expected W:(abcd...)
requirements.txt
#
# These requirements were autogenerated by pipenv
# To regenerate from the project's Pipfile, run:
#
# pipenv lock --requirements
#
-i https://artifactory.jfrog.*****.com/artifactory/api/pypi/pypi/simple
anyio==3.3.3; python_full_version >= '3.6.2'
asgiref==3.4.1; python_full_version >= '3.6.0'
certifi==2021.10.8
charset-normalizer==2.0.7; python_version >= '3'
click==8.0.3; python_full_version >= '3.6.0'
fastapi==0.70.0
...
Environment
docker image
python:3.9-slim
pip freeze
pipenv==2021.5.29
cyclonedx-bom==1.2.0
cyclonedx-python-lib==0.8.1
I tried to add a component description, but it does not end up in the generated XML file.
from cyclonedx.model.component import Component
from cyclonedx.model.bom import Bom
from cyclonedx.output import BaseOutput, get_instance, OutputFormat, SchemaVersion
from cyclonedx.parser import BaseParser
class TrivialParser(BaseParser):
def __init__(self):
c = Component(name='foo',
version='1.0.0',
description='My description',
author='My Author')
self._components.append(c)
parser = TrivialParser()
bom = Bom.from_parser(parser)
inst = get_instance(
bom=bom,
output_format=OutputFormat['XML'],
schema_version=SchemaVersion['V{}'.format(
str(1.4).replace('.', '_')
)]
)
inst.output_to_file('bom.xml')
The output does not contain the description content.
I would expect the XML output to contain the description text, as specified in the schema
(https://cyclonedx.org/docs/1.4/xml/#type_component)
Is this just an usage error or missing functionality?
After discussions between the maintainers regarding how to consider cyclonedx-conan
adopting this library, it became clear that this library should just contain:
This means that the Parsers
(all of which are specific to Python today) should be relocated to cyclonedx-python
(which consumes this library).
As identified in #67, this library does not yet support properties at the bom
root level.
This feature will add support to allow a BOM to have properties.
As called out in #151 by @jkowalleck, 1.0
is old and very sparse compared to the more recent versions of the CycloneDX schema.
This ticket aims to collect any feedback from the community as to whether:
1.0
1.0
Currently our models rely on the consumer to specifiy/provide a value for a Component or Vulnerability's bom-ref
.
In previous versions of this library, the purl
was automatically used for this purpose (for Component) but this was removed as a Component may not have a purl
.
As pointed out in sonatype-nexus-community/jake#91, for Vulnerabilities to be able to specify which Components are affected (in 1.4), Components must have a bom-ref
- see here.
It's worth noting that bom-ref
is optional within the schema for both Component and Vulnerability.
This Feature will look to assign a UUID as the bom-ref
if a value has not been provided by the consumer.
Example code to produce BOM:
bom = Bom(
components=[Component(
name='setuptools', version='50.3.2', bom_ref='pkg:pypi/[email protected]?extension=tar.gz',
purl=PackageURL(
type='pypi', name='setuptools', version='50.3.2', qualifiers='extension=tar.gz'
), license_str='MIT License', author='Test Author'
)]
)
This attempts to produce XML for the Component as follows:
<component type="library" bom-ref="pkg:pypi/[email protected]?extension=tar.gz">
<name>setuptools</name>
<version>50.3.2</version>
<licenses>
<expression>MIT License</expression>
</licenses>
<cpe>cpe:2.3:a:python:setuptools:50.3.2:*:*:*:*:*:*:*</cpe>
<purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
</component>
.licenses.expression
is not permissible in schema version 1.0.
poetry
failed to install in CI from time to time. the a administrator/mintainer needs to click the "re-run all jobs" button to kick tests manually. see https://github.com/CycloneDX/cyclonedx-python-lib/runs/4470098505?check_suite_focus=true#step:11:40
this seams to be caused by the poetry cache.
as a maintainer i want the poetry install to pass, so that dont have to re-run them manually.
According to specification 1.4, we still lack support in for the following:
component.swid
component.modified
(DEPRECATED since schema version 1.1)component.pedigree
component.components
component.evidence
This feature will add support in the model for the above items, EXCLUDING modified
, and appropriate outputs to JSON and XML.
#169 also pointed out the lack of support (in XML) for:
component.supplier
component.publisher
component.description
component.scope
component.copyright
component.components
component.evidence
It's commonplace in the Python ecosystem for a given package version to be available in both whl
and tar.gz
formats (and possibly others.
When we define a Component
in a CycloneDX schema, this Component
can include a list of hashes that provide an integrity to the definition. This is complicated in the Python eco-system as we do not know? which format/download has been used.
For example, in a Pipfile.lock
for toml==0.10.2
you will see two hashes which correlate to both the whl
and tar.gz
formats:
"hashes": [
"sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b",
"sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f"
],
Including both hashes may be the correct answer, but I'm seeking clarification from the @CycloneDX/core-team prior to implementation.
This library currently defaults to schema version 1.3
. This feature will update this to be 1.4
.
@madpah a huge change i would suggest is: all optional lists become non-optional sets.
based on https://github.com/CycloneDX/cyclonedx-python-lib/pull/148/files#r798309225
this way a lot of problems would be solved:
object.add_<list-property>()
all the timeset
is falsy - for easy size-checks)set
-literal: instead of writing set([...])
simply write {...}
- if this was needed at any place, stillOriginally posted by @jkowalleck in #148 (comment)
This issue was originally raised here but has been relocated to this project as it is now the cyclonedx-python-lib
that implements the specification and not cyclonedx-python
.
References from original issue:
Notes from @stevespringett:
metadata\componen
t and metadata\tools\tool
Notes from @sbs2001:
metadata\component
, we could borrow the code at https://github.com/nexB/scancode-toolkit/blob/839964c205fa76562ec3c24c667183b3d0bb9f5a/src/packagedcode/pypi.py#L302 as a start ?Raised in response to CycloneDX/cyclonedx-python#244.
It will only be possible to obtain licensing for packages installed in a Python environment.
License information is not available in:
requirements.txt
filesPipfile.lock
filespoetry.lock
filesAs discussed in #67, version
became optional for a Component in 1.4.
The fallback should be an empty string for versions prior to 1.4 if a Component has no version.
This is currently failing with release 1.3.0
.
I received the following error while attempting to upgrade to the latest version of setuptools: cyclonedx-python-lib 0.11.1 requires setuptools<51.0.0,>=50.3.2, but you have setuptools 59.6.0 which is incompatible.
Running pip install setuptools==50.3.2
was my work-around for this problem
might require CycloneDX/specification#106
the current json result follows an existing schema, described in https://github.com/CycloneDX/specification/tree/master/schema
feature request: add the used schema as a property $schema
of the resulting json.
the value must be the $id
of the schema used.
spec | schema-id |
---|---|
1.2 | http://cyclonedx.org/schema/bom-1.2a.schema.json |
1.3 | http://cyclonedx.org/schema/bom-1.3.schema.json |
example:
{
"$schema": "http://cyclonedx.org/schema/bom-1.3.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.3",
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"components": [
{
"type": "library",
"name": "acme-library",
"version": "1.0.0"
}
]
}
packageurl-python
is causing a lot of trouble in older versions. versions we are not currently running/testing in the CI.
packageurl-python
is doing a stupid amount of effort to still support python2.
and therefore breaks in python3 sometimes.
i suggest to raise the dependency to >=0.9
to prevent unexpectedissues downstream
this one is related/caused by #44
Raised as root cause of CycloneDX/cyclonedx-python#235.
The CPE (https://nvd.nist.gov/products/cpe) is still often used to identify vulnerabilities in software and also used by Dependency Track to identify vulnerabilities.
I am currently generating a cyclonedx sbom file with this library with input from various sources where the sources sometimes include the CPE value for the component. The sbom then is imported into DT and other tools to identify vulnerabilities.
Currently I cannot add the CPE to the sbom using this library as the CPE is not supported in the component.
Pull request for this feature already added.
I'm planning on adding library API documentation and using pdoc. Any thoughts/opinions on this from anyone? @madpah
Example BOM generation:
bom = Bom(components=[
Component(
name='toml', version='0.10.2', bom_ref='pkg:pypi/[email protected]?extension=tar.gz',
purl=PackageURL(
type='pypi', name='toml', version='0.10.2', qualifiers='extension=tar.gz'
), hashes=[
HashType.from_composite_str('sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b')
], external_references=[
get_external_reference_1()
]
)
])
Generates
...
<externalReferences>
<reference type="distribution">
<url>https://cyclonedx.org</url>
<comment>No comment</comment>
<hashes>
<hash alg="SHA-256">806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b</hash>
</hashes>
</reference>
</externalReferences>
...
.externalReferences.hashes
is not part of the schema prior to version 1.3.
๐ฏ note for mysel: see of 1.3 serializers ommit this
Originally posted by @jkowalleck in #108 (comment)
Creating issue to track adoption of the forthcoming version 1.4 schema specification for CycloneDX.
Preview work can be seen here, but this IS NOT FINAL.
Current estimates are that version 1.4 will be finalised late 2021, early 2022.
Python 3.10 officially released on 09-Nov-2021 - support for this should be included / verified.
In order to deliver on the answer provided in #26, we need to extend the support in this library to allow for externalReferences
on Component
instances.
Raising here from CycloneDX/cyclonedx-python#40 given the split into this library.
CycloneDX schema version 1.2+ supports bom.dependencies
which can be used to generate dependency tree graphs from CycloneDX BOMs.
This library currently has no support for bom.dependencies
.
Source: sonatype-nexus-community/jake#72
Validated by running:
pip install cyclonedx-python-lib==0.12.2 --only-binary=:all:
Looking in indexes: https://OBFUSCATED/repository/pupy/simple
Collecting cyclonedx-python-lib==0.12.2
Using cached https://OBFUSCATED/repository/pupy/packages/cyclonedx-python-lib/0.12.2/cyclonedx_python_lib-0.12.2-py3-none-any.whl (128 kB)
Collecting types-toml<0.11.0,>=0.10.0
Using cached https://OBFUSCATED/repository/pupy/packages/types-toml/0.10.1/types_toml-0.10.1-py3-none-any.whl (2.1 kB)
Collecting packageurl-python>=0.9
Using cached https://OBFUSCATED/repository/pupy/packages/packageurl-python/0.9.6/packageurl_python-0.9.6-py3-none-any.whl (23 kB)
ERROR: Could not find a version that satisfies the requirement requirements_parser>=0.2 (from cyclonedx-python-lib) (from versions: none)
ERROR: No matching distribution found for requirements_parser>=0.2
Note from https://pypi.org/project/requirements-parser/0.2.0/#files:
JSF is/has been incorporated into the core spec for Version 1.4 (JSON). This feature will delivery JSF support.
This feature was bumped from the initial release (#108).
Very minor issue noted here.
If a BOM is has ZERO Components, components
is still included in the generated BOM as an empty array.
Not invalid, but not tidy.
as a developer i want all imports sorted, so i read and maintain them easily
proposal:
isort
mentioned i the CONTRIBUTING docsproposed isort config file .isort.cfg
:
[isort]
## read the docs: https://github.com/timothycrosley/isort/wiki/isort-Settings
known_first_party = cyclonedx
skip_glob =
build,dist,__pycache__,.eggs,*_cache
.git,.tox,.venv,venv
_OLD,_TEST,
docs
combine_as_imports = true
default_section = THIRDPARTY
include_trailing_comma = true
line_length = 120
multi_line_output = 5
First of all, thanks for this fantastic library!
I'm currently working on using cyclonedx-python-lib
to generate SBOMs within pip-audit
.
Our codebase is fully typechecked (via MyPy), and it looks like this library is too! But we can't currently consume your type hints, since the cyclonedx
package doesn't include a py.typed
file per PEP 561.
Is there any objection to including that file, so that downstream users can typecheck their API use? If not, I can go ahead and create a PR -- it should be just a 2 or 3 line change.
At the moment I can't see a way of specifying the namespace or subpath for a component purl.
https://github.com/package-url/purl-spec#purl
I hit this limitation trying to use this library for the Conan implementation and not being about to set the purl correctly.
currently the code goes trough a pep8 test via flake8 that must be passed in CI
as a developer i want a tool available, that automatically fixes my code according to pep8
options:
I, @jkowalleck, prefer autopep8
as it fixes pep8 only. black
is to much opinionated.
We're getting a large number of test fixtures now and and this ticket will re-organise them into sub-directories:
tests/fixtures/<FORMAT>/<SCHEMA_VERSION>/<FIXTURE_NAME>.<EXTENSION>
Where:
<FORMAT>
is json
or xml
<SCHEMA_VERSION>
is decimalised schema version - e.g. 1.4
<FIXTURE_NAME>
remains a suitable descriptive name<EXTENSION>
remains either json
or xml
Created from:
As identified in #67, this library does not yet support Services.
This feature will add support to allow BOMs containing Services for schema versions that support this.
Taken from CycloneDX/cyclonedx-python#194.
This library currently supports requirements.txt
files according to PEP-508 specification.
PEP-508 does not cater for cryptographic hashes being included in requirements.txt
files.
However, since version 8.0 of pip
, hashes and checking of hashes during dependency installation has been possible - see here.
Multiple issues in jake
relate to issues when using jake
pre 1.0.0
and conda
. jake
>=1.0.0
no longer has conda
support as it relies on this library (cyclonedx-python-lib
) for parsing data sources.
Issues related:
This feature should add support for:
conda list
outputFollowing #106, decision has been taken to move documentation to RTD.
Work should be completed as part of the 1.4 spec overhaul.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.