Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include language package manager (e.g. cargo, npm, go modules) information in SBOMs #17423

Open
1 task done
carlocab opened this issue Jun 4, 2024 · 5 comments
Open
1 task done

Include language package manager (e.g. cargo, npm, go modules) information in SBOMs #17423

carlocab opened this issue Jun 4, 2024 · 5 comments
Labels
features New features help wanted We want help addressing this

Comments

@carlocab
Copy link
Member

carlocab commented Jun 4, 2024

Verification

Provide a detailed description of the proposed feature

The sbom.spdx.json contains dependency information for dependencies managed by brew. We should include dependency information for those not managed by brew as well.

What is the motivation for the feature?

More complete SBOMs. It will also improve our ability to track CVEs that affect formulae.

How will the feature be relevant to at least 90% of Homebrew users?

It probably won't be.

What alternatives to the feature have been considered?

  • the status quo
  • another mechanism for tracking non-Homebrew dependencies
@carlocab carlocab added the features New features label Jun 4, 2024
@MikeMcQuaid
Copy link
Member

Good idea, thanks @carlocab!

@MikeMcQuaid MikeMcQuaid added the help wanted We want help addressing this label Jun 4, 2024
@SMillerDev
Copy link
Member

@carlocab do you have an example of some data you would like to see included?

@cho-m
Copy link
Member

cho-m commented Sep 22, 2024
edited
Loading

Could be worth starting with something like npm which provides npm sbom and decide what parts of that should be included.

Cargo may be easier once RFC rust-lang/rfcs#3553 provides a similar feature. Some repositories use tools like cargo-auditable to put related information inside the binaries.

May need to see how large these can get since the dependency trees can be quite large.

Though, homebrew-pip-audit is using osv-scanner so a variation on previous PR for lock files (#14835) could be more useful if we want to build tooling around auditing our own formulae. osv-scanner supports Cargo.lock, Gemfile.lock, etc.

@carlocab
Copy link
Member Author

@carlocab do you have an example of some data you would like to see included?

Not really, sorry! It's really more that our SBOMs already contain dependency information when those dependencies are on other formulae. Ideally the dependency information would be more complete by including non-formula dependencies too.

At minimum, I guess, we should include the names and versions of language package manager dependencies in the SBOMs.

@MikeMcQuaid
Copy link
Member

Could be worth starting with something like npm which provides npm sbom and decide what parts of that should be included.

Agreed. Note: given all our SBOM reproducibility issues: this needs to be done at bottle pour time.

@carlocab thanks for clarifying!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
features New features help wanted We want help addressing this
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MikeMcQuaid @SMillerDev @cho-m @carlocab