Generate SBOM for wheels

[lcarva]

A recent discussion in the python community reached the conclusion that SBOMs should be used to identify the origin of a certain python package. This was then adopted in the Fedora Rawhide community.

Given that Fromager's purpose is to build wheels, it would be wonderful if Fromager could also generate an SBOM along the way. Expanding on the Rawhide example:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "components": [
    {
      "type": "library",
      "name": "requests",
      "version": "2.32.5",
      "purl": "pkg:pypi/requests@2.32.5?repository_url=https://my.index.example.com"
    }
  ]
}

The important piece is the purl attribute. It follows the spec for python packages and it adds a qualifier, repository_url to specify an alternate locaion.

The value of repository_url should indicate the index of where the package will be published to. Since Fromager has no way of knowing this, a new optional parameter should be added. If the parameter is not provided, repository_url is not added to the purl. (This could be used to support cases where Fromager is used to build wheels intended to be published on pypi.org.)

As per PEP-770 the SBOM should reside under the .dist-info/sboms directory. There are two main SBOM format CycloneDX and SPDX. I don't think Formager needs to support generating both. No preference is given to either.

[lcarva]

@dhellmann and @tiran, wdyt? Any objections to this feature request?

[tiran]

@lcarva Thanks for filing the feature request. Internally, we discussed SBOM a couple of times over the last few months. We like to add SBOM support to Fromager, but we haven't had time to design it.

Some pointers:

• For packages that we rebuild from unmodified upstream sdist, the SBOM should indicate that the wheel is a rebuilt and not the same as the upstream wheel on pypi.org.
• For packages that have modifications (patches), we also need to indicate that the sources have been modified.
• In a few cases, we build packages from a midstream fork or from a git repo without a package on PyPI. SBOM need to indicate that our build is different from PyPI package.
• For projects with Rust and Go code, we also want to include information about vendored packages.

[dhellmann]

It's not clear to me what role fromager has and what role the build backends have in producing the SBOM. I think the backends wouldn't know about things like indexes and whether the source is patched, but I don't feel like we want fromager trying to figure out what rust or go code is inside a given wheel.

Is there any discussion of the division of responsibility upstream?