Generate a Attestation/SBOM with the repair command

[captn3m0]

Shared libraries that are copied across should ideally be part of the SBOM generated on a given wheel, but these are currently not captured by any tooling. Auditwheel should provide a SBOM (and perhaps an attestation) of any libraries that are included as part of the wheel.

This could perhaps be stored alongside the wheel metadata for easier availability. Downstream tooling (such as pip-audit, or grype) can use this metadata to perform vulnerability scans on the underlying distro packages as well.

[mayeut]

Blocked, at least, on PEP availability mentioned by @di in pypa/advisory-database#103

Even if a PEP is available, auditwheel will only be able to, potentially, get information from grafted system libraries provided someone proposes a PR that works (or at least does not fail) from various distributions (rpm based ones like CentOS/RHEL/AlmaLinux/RockyLinux or deb based ones like Debian/Ubuntu in the glibc world or Alpine for the musl world).

For user built/retrieved libraries, it won't work out of the box and requires user input, and it would probably be best that this work be shared with delocate / delvewheel if possible.

Maybe the whole thing should be another project entirely used as a dependency by auditwheel / delocate & delvwheel ?

I definitely don't have time to fall down this rabbit hole in my free time.