Version 0.1.12 of the PkgToSoftwareBOM.jl package has been released.
PkgToSoftwareBOM.jl produces a Software Bill of Materials (SBOM) describing your Julia environment. At this time, the SBOM produced is in the (SPDX) format. Contributions to support other SBOM formats are welcome.
I created PkgToSoftwareBOM.jl to help the Julia ecosystem get prepared for the emerging future of software supply chain security. If we want to see Julia adoption to continue to grow, then we need to be able to easily create SBOMs to supply to the organizations using Julia packages.
Since the last announcement, two new keywords have been added that provide additional functionality.
Keyword use_packageserver
A package developer’s GitHub (or other) repository is the canonical source for the package code. An SBOM genereated by PkgToSoftwareBOM by default refers to that git repository with a specific git tree hash to allow a user to retrieve the source code for a particular version.
But very few people actually get their packages from Github. Instead Pkg defaults to using the package server maintained by JuliaLang. The package server holds a copy of each package version registered in the General Registry as a compressed tarball to be downloaded.
PkgToSoftwareBOM now provides the user with the option of listing the package server as the code source rather than the git repository through the keyword use_packageserver
There are a few reasons why a user would wish to use the package server location in the SBOM
-
Since the package server is where your typical user gets their packages from, you can argue that the SBOM should reflect that in the name of accuracy.
-
Not every analyst would find it useful to be directed to the repo and then be expected to figure out how to use git to extract the correct version.
-
A user wants to submit tarballs of the packages they are using to their corporate FOSS system for approval. Using this keyword makes that job a lot easier.
As an example, the default DownloadLocation for v0.1.12 of PkgToSoftwareBOM would be:
git+https://github.com/SamuraiAku/PkgToSoftwareBOM.jl.git@ba259068d698c79494d9c90a68bfab6e244a7fde
When the keyword use_packageserver= true then the DownloadLocation becomes
https://pkg.julialang.org/package/6254a0f9-6143-4104-aa2e-fd339a2830a6/ba259068d698c79494d9c90a68bfab6e244a7fde
For the advanced user who uses a package server other than the default, PkgToSoftwareBOM checks if ENV["JULIA_PKG_SERVER"] is set and will honor whatever server is set there.
Keyword find_artifactsource
When an binary artifact is used by a package, an SBOM analyst would like to know where that artifact’s source code is as well.
In the general case, it is impossible to get artifact source code information from within Julia.
But a very large percentage of artifacts in general use today are used in packages commonly known as JLLs which are autogenerated by the BinaryBuilders.jl tool. The build scripts for these artifacts are hosted in the Julia community build tree Yggdrasil. These packages have a README with links to the branch in Yggdrasil with the artifact’s build scripts.
When the keyword find_artifactsource= true PkgToSoftwareBOM extracts this information and adds an entry to SBOM the showing that the artifact was GENERATED_FROM these build scripts.