Description
Proposal:
Part of #112302
An SBOM document has been added for dependencies within CPython itself. This document is kept up-to-date using tooling and CI within the CPython repository. For building the Windows there exists a repository cpython-source-deps which "mirrors" the source code of projects not in the CPython git repo.
These dependencies are pulled in optionally, I still need to investigate what combinations are possible, but I know the possible projects and versions for each CPython branch is captured currently in PCBuild/get_externals.bat.
Will be investigating what the best method for creating an SBOM for these dependencies such that release-tools can stitch it into the final SBOMs that are distributed with release artifacts. There's a chance that no work needs to be done on this repository, in that case this issue will be migrated.
Has this already been discussed elsewhere?
See the Discourse topic
Linked PRs
- gh-112844: Add SBOM for external dependencies #115789
- [3.12] gh-112844: Add SBOM for external dependencies (GH-115789) #116128
- gh-112844: Fix xz CPE identifier #117656
- [3.12] gh-112844: Fix xz CPE identifier (GH-117656) #117951
- gh-112844: Update CPE references for external dependencies #118521
- [3.13] gh-112844: Update CPE references for external dependencies (GH-118521) #119237
- [3.12] gh-112844: Update CPE references for external dependencies (GH-118521) #119238