|
| 1 | +"""Generate SPDX 2.3 SBOM documents for wheels built by Fromager. |
| 2 | +
|
| 3 | +Produces minimal SPDX 2.3 JSON documents conforming to PEP 770 for |
| 4 | +embedding in the ``.dist-info/sboms/`` directory of built wheels. |
| 5 | +""" |
| 6 | + |
| 7 | +from __future__ import annotations |
| 8 | + |
| 9 | +import importlib.metadata |
| 10 | +import json |
| 11 | +import logging |
| 12 | +import pathlib |
| 13 | +import typing |
| 14 | +from datetime import UTC, datetime |
| 15 | + |
| 16 | +from packaging.requirements import Requirement |
| 17 | +from packaging.utils import canonicalize_name |
| 18 | +from packaging.version import Version |
| 19 | + |
| 20 | +if typing.TYPE_CHECKING: |
| 21 | + from . import context |
| 22 | + |
| 23 | +logger = logging.getLogger(__name__) |
| 24 | + |
| 25 | +SBOM_FILENAME = "fromager.spdx.json" |
| 26 | + |
| 27 | + |
| 28 | +def _build_purl( |
| 29 | + *, |
| 30 | + package_name: str, |
| 31 | + package_version: Version, |
| 32 | + purl_override: str | None, |
| 33 | +) -> str: |
| 34 | + """Build a package URL for the SBOM. |
| 35 | +
|
| 36 | + Returns ``pkg:pypi/<name>@<version>`` by default. If a purl override |
| 37 | + is set in per-package settings, it is used instead with |
| 38 | + ``str.format()`` substitution for ``{name}`` and ``{version}``. |
| 39 | + """ |
| 40 | + if purl_override: |
| 41 | + try: |
| 42 | + return purl_override.format(name=package_name, version=package_version) |
| 43 | + except (KeyError, ValueError) as err: |
| 44 | + raise ValueError( |
| 45 | + f"invalid purl template {purl_override!r}: " |
| 46 | + "only {name} and {version} are supported" |
| 47 | + ) from err |
| 48 | + return f"pkg:pypi/{package_name}@{package_version}" |
| 49 | + |
| 50 | + |
| 51 | +def generate_sbom( |
| 52 | + *, |
| 53 | + ctx: context.WorkContext, |
| 54 | + req: Requirement, |
| 55 | + version: Version, |
| 56 | +) -> dict[str, typing.Any]: |
| 57 | + """Generate a minimal SPDX 2.3 JSON document for a wheel. |
| 58 | +
|
| 59 | + The document contains the wheel as the primary package and a |
| 60 | + DESCRIBES relationship from the document to the package. |
| 61 | + """ |
| 62 | + sbom_settings = ctx.settings.sbom_settings |
| 63 | + if sbom_settings is None: |
| 64 | + raise RuntimeError("generate_sbom called but SBOM settings are not configured") |
| 65 | + |
| 66 | + pbi = ctx.package_build_info(req) |
| 67 | + name = canonicalize_name(req.name) |
| 68 | + fromager_version = importlib.metadata.version("fromager") |
| 69 | + timestamp = datetime.now(tz=UTC).strftime("%Y-%m-%dT%H:%M:%SZ") |
| 70 | + |
| 71 | + creators = list(sbom_settings.creators) |
| 72 | + creators.append(f"Tool: fromager-{fromager_version}") |
| 73 | + |
| 74 | + namespace = f"{sbom_settings.namespace}/{name}-{version}.spdx.json" |
| 75 | + |
| 76 | + package_entry: dict[str, typing.Any] = { |
| 77 | + "SPDXID": "SPDXRef-wheel", |
| 78 | + "name": name, |
| 79 | + "versionInfo": str(version), |
| 80 | + "downloadLocation": "NOASSERTION", |
| 81 | + "supplier": sbom_settings.supplier, |
| 82 | + } |
| 83 | + |
| 84 | + purl = _build_purl( |
| 85 | + package_name=name, |
| 86 | + package_version=version, |
| 87 | + purl_override=pbi.purl, |
| 88 | + ) |
| 89 | + package_entry["externalRefs"] = [ |
| 90 | + { |
| 91 | + "referenceCategory": "PACKAGE-MANAGER", |
| 92 | + "referenceType": "purl", |
| 93 | + "referenceLocator": purl, |
| 94 | + } |
| 95 | + ] |
| 96 | + |
| 97 | + doc: dict[str, typing.Any] = { |
| 98 | + "spdxVersion": "SPDX-2.3", |
| 99 | + "dataLicense": "CC0-1.0", |
| 100 | + "SPDXID": "SPDXRef-DOCUMENT", |
| 101 | + "name": f"{name}-{version}", |
| 102 | + "documentNamespace": namespace, |
| 103 | + "creationInfo": { |
| 104 | + "created": timestamp, |
| 105 | + "creators": creators, |
| 106 | + }, |
| 107 | + "packages": [package_entry], |
| 108 | + "relationships": [ |
| 109 | + { |
| 110 | + "spdxElementId": "SPDXRef-DOCUMENT", |
| 111 | + "relationshipType": "DESCRIBES", |
| 112 | + "relatedSpdxElement": "SPDXRef-wheel", |
| 113 | + }, |
| 114 | + ], |
| 115 | + } |
| 116 | + return doc |
| 117 | + |
| 118 | + |
| 119 | +def write_sbom( |
| 120 | + *, |
| 121 | + sbom: dict[str, typing.Any], |
| 122 | + dist_info_dir: pathlib.Path, |
| 123 | +) -> pathlib.Path: |
| 124 | + """Write an SBOM document to the .dist-info/sboms/ directory. |
| 125 | +
|
| 126 | + Creates the sboms/ subdirectory if it does not already exist. |
| 127 | + Returns the path to the written file. |
| 128 | + """ |
| 129 | + sboms_dir = dist_info_dir / "sboms" |
| 130 | + sboms_dir.mkdir(exist_ok=True) |
| 131 | + # Fromager generates exactly one SBOM per wheel, so overwriting a |
| 132 | + # previous fromager.spdx.json from an earlier run is expected. |
| 133 | + # SBOMs from other tools (e.g. maturin's CycloneDX) use different |
| 134 | + # filenames and are not affected. |
| 135 | + sbom_path = sboms_dir / SBOM_FILENAME |
| 136 | + with sbom_path.open("w", encoding="utf-8") as f: |
| 137 | + json.dump(sbom, f, indent=2) |
| 138 | + f.write("\n") |
| 139 | + logger.info("wrote SBOM to %s", sbom_path) |
| 140 | + return sbom_path |
![mergify[bot]](https://avatars.githubusercontent.com/in/10562?v=4&size=40){kind=avatar}
0 commit comments