Python packages have a "phantom dependency" problem, many packages contain non-Python software (C, C++, Rust, Go, JavaScript, etc) that can't be described using Python packaging metadata. This means that software composition analysis tools often miss this software. Python is particularly affected by this issue, but many software ecosystems have the exact same problem.
The proposal to solve this issue is providing a mechanism to describe cross-technology software within Python packaging metadata using SBOMs.
Seth has authored a draft Python Enhancement Proposal (PEP) and has circulated the draft within the Python packaging reviewers, SBOM standards communities (both SPDX and CycloneDX), SBOM users working groups. The PEP would provide a mechanism to bundle self-describing SBOM documents into Python package archives. The draft has a sponsor and reviewer: Brett Cannon.
Seth created a fork of auditwheel that implements the draft PEP and published a case study showing that by adding SBOM data to Python wheels that SCA tools are able to properly detect all bundled software within the archive.
- Public discussion on Python Discourse
- Tracking Project on GitHub
- Blog post: Early promising results with SBOMs and Python packages
- Blog post: Visualizing the Python package SBOM data flow
- PGP signatures deprecated for Python 3.14 and onwards following the acceptance of PEP 761.
- Finished 2024 year-end report for Alpha-Omega. Worked on renewal statement of work for 2025.
- Published "New era of slop security reports for open source", a blog post about a concerning trend in LLM-generated and low-quality security reports.
- Upgraded libexpat for CPython to fix multiple CVEs. Created script to make future updates easier.
- Published advisory for CPython for CVE-2024-11168, improper validation of IPv6 and IPvFuture addresses.
- Back-filled missing/incorrect vulnerability records for
PYSECOSV database.