Software bill-of-materials docs eyed for Python packages

Software bill-of-materials (SBOM) documents would be used in Python packages as a means to improve their “measurability” and to address the problem of “phantom dependencies” in Python packages, under a Python Enhancement Proposal (PEP) now being floated at python.org.

In explaining the motivation behind the proposal, created January 2, the authors state that Python packages are particularly affected by a phantom dependency problem, meaning they often include software components not written in Python for reasons such as compatibility with standards, ease of installation, or use cases such as machine learning that use compiled libraries from C, C++, Rust, Fortran, and other languages.

The proposal notes that the Python wheel format is preferred by users due to its ease of installation, but this format requires bundling shared compiled libraries without a method to encode metadata about them. Additionally, packages related to Python packaging sometimes need to solve the bootstrapping problem, so include pure Python projects inside source code, but these software components also cannot be described using Python package metadata and thus are likely to be missed by software component analysis (SCA) tools, which can mean vulnerable software components are not reported accurately. Inclusion of an SBOM document annotating all included libraries would enable SCA tools to reliably identify the included software.

SBOM is a technology- and ecosystem-agnostic method for describing software composition, provenance, heritage, and more, the proposal notes. SBOMs are used as inputs for SCA tools, such as scanners for vulnerabilities and licenses, and they have been gaining traction in global software regulations and frameworks. For example, SBOMs are required by recent security regulations such as the Secure Software Development Framework.

For all of these reasons, SBOMs could be used to improve the measurability of Python packages. The proposal delegates SBOM-specific metadata to SBOM documents included in Python packages and adds a core metadata field for discoverability of included SBOM documents.