# sbom
Tree shaking for the minimal viable software bill of materials (SBOM).
[License: MIT](https://github.com/sthagen/sbom/blob/default/LICENSE)
Third party dependencies are documented in the folder [third-party](docs/third-party/README.md).
[](https://pypi.python.org/pypi/sbom/)
[](https://pepy.tech/project/sbom)
[](https://pypi.python.org/pypi/sbom/)
[](https://pypi.python.org/pypi/sbom/)
[](https://pypi.python.org/pypi/sbom/)
[](https://git.sr.ht/~sthagen/sbom/log)
## Documentation
User and developer [documentation of sbom](https://codes.dilettant.life/docs/sbom).
## Bug Tracker
Any feature requests or bug reports shall go to the [todos of sbom](https://todo.sr.ht/~sthagen/sbom).
## Primary Source repository
The main source of `sbom` is on a mountain in central Switzerland.
We use distributed version control (git).
There is no central hub.
Every clone can become a new source for the benefit of all.
The preferred public clones of `sbom` are:
* [on codeberg](https://codeberg.org/sthagen/sbom) - a democratic community-driven, non-profit software development platform operated by Codeberg e.V.
* [at sourcehut](https://git.sr.ht/~sthagen/sbom) - a collection of tools useful for software development.
## Contributions
Please do not submit "pull requests" (I found no way to disable that "feature" on GitHub).
If you like to share small changes under the repositories license please kindly do so by sending a patchset.
You can either send such a patchset per email using [git send-email](https://git-send-email.io) or
if you are a sourcehut user by selecting "Prepare a patchset" on the summary page of your fork at [sourcehut](https://git.sr.ht/).
## Status
Experimental.
## Terminology
* **baseline** - mandatory elements
* **consume** - an SBOM
* **crypto** - hashing, signing, and signature validation
* **extension** - sets of elements mandatory in addition to baseline
* **fuzz** - generate surrogate and poisoned SBOMs
* **merge** - an SBOM with other SBOMs or additional information
* **mock** - provide optimal testability
* **policy** - to apply
* **produce** - an SBOM
* **report** - anything from produce, transform, and consume
* **rule** - executing policies
* **transform** - one SBOM into another SBOM
## Safety, Security, and Data Protection Considerations
The current implementation **SHALL** only digest trustworthy data.
Schema validation of JSON and XML formats requires specific measures to
minimize vulnerabilities.
For example: The python xml parser implementation (etree) in
use is presumably vulnerable against some attacks like *billion laughs*
and *quadratic blowup*.
Plans are to move towards a safer implementation like `defusedxml`
or any other hardened implementation.
The situation is similar for the JSON formats.
In summary and repeating the obvious:
> The current implementation **SHALL** only digest trustworthy data.
**Note**: The default branch is `default`.
Raw data
{
"_id": null,
"home_page": "",
"name": "sbom",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.9",
"maintainer_email": "Stefan Hagen <stefan@hagen.link>",
"keywords": "baseline,cyclonedx,developer-tools,extension,software-bill-of-materials,spdx,validation",
"author": "",
"author_email": "Stefan Hagen <stefan@hagen.link>",
"download_url": "https://files.pythonhosted.org/packages/d7/30/641a91336c6b16af1f6eba474022ff8b32f58977e72548e917bf5a175f80/sbom-2023.10.7.tar.gz",
"platform": null,
"description": "# sbom\n\nTree shaking for the minimal viable software bill of materials (SBOM).\n\n[License: MIT](https://github.com/sthagen/sbom/blob/default/LICENSE)\n\nThird party dependencies are documented in the folder [third-party](docs/third-party/README.md).\n\n[](https://pypi.python.org/pypi/sbom/)\n[](https://pepy.tech/project/sbom)\n[](https://pypi.python.org/pypi/sbom/)\n[](https://pypi.python.org/pypi/sbom/)\n[](https://pypi.python.org/pypi/sbom/)\n[](https://git.sr.ht/~sthagen/sbom/log)\n\n## Documentation\n\nUser and developer [documentation of sbom](https://codes.dilettant.life/docs/sbom).\n\n## Bug Tracker\n\nAny feature requests or bug reports shall go to the [todos of sbom](https://todo.sr.ht/~sthagen/sbom).\n\n## Primary Source repository\n\nThe main source of `sbom` is on a mountain in central Switzerland.\nWe use distributed version control (git).\nThere is no central hub.\nEvery clone can become a new source for the benefit of all.\nThe preferred public clones of `sbom` are:\n\n* [on codeberg](https://codeberg.org/sthagen/sbom) - a democratic community-driven, non-profit software development platform operated by Codeberg e.V.\n* [at sourcehut](https://git.sr.ht/~sthagen/sbom) - a collection of tools useful for software development.\n\n## Contributions\n\nPlease do not submit \"pull requests\" (I found no way to disable that \"feature\" on GitHub).\nIf you like to share small changes under the repositories license please kindly do so by sending a patchset.\nYou can either send such a patchset per email using [git send-email](https://git-send-email.io) or \nif you are a sourcehut user by selecting \"Prepare a patchset\" on the summary page of your fork at [sourcehut](https://git.sr.ht/).\n\n## Status\n\nExperimental.\n\n## Terminology\n\n* **baseline** - mandatory elements\n* **consume** - an SBOM\n* **crypto** - hashing, signing, and signature validation\n* **extension** - sets of elements mandatory in addition to baseline\n* **fuzz** - generate surrogate and poisoned SBOMs\n* **merge** - an SBOM with other SBOMs or additional information\n* **mock** - provide optimal testability\n* **policy** - to apply\n* **produce** - an SBOM\n* **report** - anything from produce, transform, and consume\n* **rule** - executing policies\n* **transform** - one SBOM into another SBOM\n\n## Safety, Security, and Data Protection Considerations\n\nThe current implementation **SHALL** only digest trustworthy data. \n\nSchema validation of JSON and XML formats requires specific measures to \nminimize vulnerabilities.\n\nFor example: The python xml parser implementation (etree) in \nuse is presumably vulnerable against some attacks like *billion laughs*\nand *quadratic blowup*.\n\nPlans are to move towards a safer implementation like `defusedxml`\nor any other hardened implementation.\n\nThe situation is similar for the JSON formats.\n\nIn summary and repeating the obvious:\n> The current implementation **SHALL** only digest trustworthy data.\n\n**Note**: The default branch is `default`.\n",
"bugtrack_url": null,
"license": "",
"summary": "Tree shaking for the minimal viable SBOM.",
"version": "2023.10.7",
"project_urls": {
"Bug-Tracker": "https://todo.sr.ht/~sthagen/sbom",
"Documentation": "https://codes.dilettant.life/docs/sbom",
"Homepage": "https://git.sr.ht/~sthagen/sbom",
"Source-Code": "https://git.sr.ht/~sthagen/sbom",
"Test-Coverage": "https://codes.dilettant.life/coverage/sbom"
},
"split_keywords": [
"baseline",
"cyclonedx",
"developer-tools",
"extension",
"software-bill-of-materials",
"spdx",
"validation"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "f45a5b74c4a1bc5e73e9156fd3f3cb1e1dfb669483f40fa04fc7494811e3450d",
"md5": "90cf24caadba7fcb0a9081d26accbc1a",
"sha256": "9089973f1ae0a23138ad55261432219468f4840ae09bdb4d0d3befb4822b8cfc"
},
"downloads": -1,
"filename": "sbom-2023.10.7-py3-none-any.whl",
"has_sig": false,
"md5_digest": "90cf24caadba7fcb0a9081d26accbc1a",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.9",
"size": 6833,
"upload_time": "2023-10-07T11:12:06",
"upload_time_iso_8601": "2023-10-07T11:12:06.474188Z",
"url": "https://files.pythonhosted.org/packages/f4/5a/5b74c4a1bc5e73e9156fd3f3cb1e1dfb669483f40fa04fc7494811e3450d/sbom-2023.10.7-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "d730641a91336c6b16af1f6eba474022ff8b32f58977e72548e917bf5a175f80",
"md5": "c2fdc32ccb1fec5ad30e6c3f08cb778e",
"sha256": "b9c36a9e58f6694fccd274482dfd10cce5bb55bab0a5a09b365294de4aa32664"
},
"downloads": -1,
"filename": "sbom-2023.10.7.tar.gz",
"has_sig": false,
"md5_digest": "c2fdc32ccb1fec5ad30e6c3f08cb778e",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.9",
"size": 9381,
"upload_time": "2023-10-07T11:12:08",
"upload_time_iso_8601": "2023-10-07T11:12:08.083931Z",
"url": "https://files.pythonhosted.org/packages/d7/30/641a91336c6b16af1f6eba474022ff8b32f58977e72548e917bf5a175f80/sbom-2023.10.7.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-10-07 11:12:08",
"github": false,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"lcname": "sbom"
}
JSON