Seth Michael Larson: PEP 770 Software Bill-of-Materials (SBOM) data from PyPI, Fedora, and Red Hat

The author of PEP 770 proposed a new standardized location for Software Bill-of-Materials data within Python wheel archives. The proposed location is in the (package)-(version).dist-info/sboms/ directory. This method of defining file-based metadata is considered great as it doesn't require creating a new metadata field and version. The PEP 770 specification is available on packaging.python.org and has been published, allowing for the inclusion of SBOM data in Python wheel archives. Since its publication, several developments have taken place, including the adoption of the new auditwheel version by manylinux images. The new auditwheel version automatically generates SBOM data and includes it in the PEP 770 specified location. As a result, many projects on PyPI are now shipping SBOM data in their wheels, with the top-10 most downloaded projects including greenlet, numba, and pymssql. RedHat and Fedora have also adopted PEP 770 to reduce false-positives in vulnerability scans by defining the actual correct Package URL for the installed package in the SBOM. The adoption of PEP 770 is expected to continue growing, with more projects likely to require SBOM data on their bundled dependencies. The author will continue to watch the numbers grow over time and is encouraging feedback on the approach from consuming tools.