Metadata-Version: 2.1
Name: sbom
Version: 0.0.3
Summary: Tree shaking for the minimal viable SBOM.
Home-page: https://github.com/sthagen/refactored-computing-machine
Author: Stefan Hagen
Author-email: stefan@hagen.link
License: MIT
Keywords: software-bill-of-materials validation cyclonedx spdx baseline extension development
Platform: UNKNOWN
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: Topic :: Software Development :: Build Tools
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Description-Content-Type: text/markdown
Requires-Dist: attrs
Requires-Dist: click
Requires-Dist: cyclonedx-bom
Requires-Dist: jsonschema
Requires-Dist: spdx-tools
Requires-Dist: xmlschema

# sbom

[![license](https://img.shields.io/github/license/sthagen/refactored-computing-machine.svg?style=flat)](https://github.com/sthagen/refactored-computing-machine/blob/default/LICENSE)
[![version](https://img.shields.io/pypi/v/sbom.svg?style=flat)](https://pypi.python.org/pypi/sbom/)
[![downloads](https://img.shields.io/pypi/dm/sbom.svg?style=flat)](https://pypi.python.org/pypi/sbom/)
[![wheel](https://img.shields.io/pypi/wheel/sbom.svg?style=flat)](https://pypi.python.org/pypi/sbom/)
[![supported-versions](https://img.shields.io/pypi/pyversions/sbom.svg?style=flat)](https://pypi.python.org/pypi/sbom/)
[![supported-implementations](https://img.shields.io/pypi/implementation/sbom.svg?style=flat)](https://pypi.python.org/pypi/sbom/)


Tree shaking for the minimal viable software bill of materials (SBOM).

## Status
Experimental.

## Terminology
* **baseline** - mandatory elements
* **consume** - an SBOM
* **crypto** - hashing, signing, and signature validation
* **extension** - sets of elements mandatory in addition to baseline
* **fuzz** - generate surrogate and poisoned SBOMs
* **merge** - an SBOM with other SBOMs or additional information
* **mock** - provide optimal testability
* **policy** - to apply
* **produce** - an SBOM
* **report** - anything from produce, transform, and consume
* **rule** - executing policies
* **transform** - one SBOM into another SBOM

## Safety, Security, and Data Protection Considerations
The current implementation **SHALL** only digest trustworthy data.  

Schema validation of JSON and XML formats requires specific measures to  
minimize vulnerabilities.

For example: The python xml parser implementation (etree) in  
use is presumably vulnerable against some attacks like *billion laughs*
and *quadratic blowup*.

Plans are to move towards a safer implementation like `defusedxml`
or any other hardened implementation.

The situation is similar for the JSON formats.

In summary and repeating the obvious:
> The current implementation **SHALL** only digest trustworthy data.

**Note**: The default branch is `default`.


