SBOM Generation Tools in the Python Ecosystem: an In-Detail Analysis

SBOM Generation Tools in the Python Ecosystem: an In-Detail Analysis

Software Bills of Material (SBOMs), which improve transparency by listing the components constituting software, are a key countermeasure to the mounting problem of Software Supply Chain attacks. SBOM generation tools take project source files and provide an SBOM as output, interacting with the softw...

Full description

Saved in:
Bibliographic Details
Main Authors: Cofano, Serena, Benedetti, Giacomo, Dell'Amico, Matteo
Format: Journal Article
Language:English
Published: 02-09-2024
Subjects:
Computer Science - Cryptography and Security
Computer Science - Software Engineering
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Software Bills of Material (SBOMs), which improve transparency by listing the components constituting software, are a key countermeasure to the mounting problem of Software Supply Chain attacks. SBOM generation tools take project source files and provide an SBOM as output, interacting with the software ecosystem. While SBOMs are a substantial improvement for security practitioners, providing a complete and correct SBOM is still an open problem. This paper investigates the causes of the issues affecting SBOM completeness and correctness, focusing on the PyPI ecosystem. We analyze four popular SBOM generation tools using the CycloneDX standard. Our analysis highlights issues related to dependency versions, metadata files, remote dependencies, and optional dependencies. Additionally, we identified a systematic issue with the lack of standards for metadata in the PyPI ecosystem. This includes inconsistencies in the presence of metadata files as well as variations in how their content is formatted.
DOI:10.48550/arxiv.2409.01214