asf-tooling opened a new issue, #1071:
URL: https://github.com/apache/tooling-trusted-releases/issues/1071
**ASVS Level(s):** L2-only
**Description:**
### Summary
While ATR provides comprehensive SBOM generation, validation, and management
tooling for projects it serves, ATR does not maintain a formal SBOM (CycloneDX
or SPDX format) for its own third-party dependencies. The
`pip-audit.requirements` file serves as an informal inventory with exact
versions, and `uv.lock` pins resolved versions, but neither constitutes a
standard-format SBOM. Without a formal SBOM, automated supply chain analysis
tools cannot consume ATR's dependency information in a standardized way.
### Details
The issue exists project-wide—no SBOM artifact is generated or published for
ATR's own dependencies. While dependency information exists in multiple formats
(requirements files, lock files), none conform to SBOM standards (CycloneDX or
SPDX).
### Recommended Remediation
Add SBOM generation to CI workflow:
```yaml
# In .github/workflows/analyze.yml or new workflow
name: Generate SBOM
on:
push:
branches: [main]
release:
types: [published]
jobs:
generate-sbom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install uv
run: pip install uv
- name: Generate CycloneDX SBOM
run: |
uv run --frozen cyclonedx-py environment \
--output-format json \
--outfile sbom.cdx.json
- name: Upload SBOM as artifact
uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.cdx.json
- name: Attach SBOM to release
if: github.event_name == 'release'
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ github.event.release.upload_url }}
asset_path: sbom.cdx.json
asset_name: sbom.cdx.json
asset_content_type: application/json
```
Add Makefile target for local generation:
```makefile
.PHONY: sbom
sbom:
uv run --frozen cyclonedx-py environment \
--output-format json \
--outfile sbom.cdx.json
@echo "SBOM generated: sbom.cdx.json"
```
### Acceptance Criteria
- [ ] CI workflow added to generate SBOM
- [ ] SBOM generated on push to main branch
- [ ] SBOM attached to GitHub releases
- [ ] SBOM uploaded as build artifact
- [ ] Makefile target added for local SBOM generation
- [ ] SBOM format validated (CycloneDX JSON)
- [ ] Documentation updated with SBOM generation instructions
- [ ] SBOM includes all Python dependencies from uv.lock
### References
- Source reports: L2:15.1.2.md
- Related findings: None
- ASVS sections: 15.1.2
### Priority
Medium
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
