dev: tweak compliance tooling.

abilian · Nov 28, 2024 · 99667b3 · 99667b3
1 parent 8866797
commit 99667b3
Show file tree

Hide file tree

Showing 8 changed files with 2,797 additions and 196 deletions.
diff --git a/Makefile b/Makefile
@@ -31,12 +31,22 @@ update-deps:
 ## Generate SBOM
 generate-sbom:
 	@echo "--> Generating SBOM"
-	uv sync --no-dev
+	uv sync -q --no-dev
 	uv pip list --format=freeze > compliance/requirements-prod.txt
-	uv sync
+	uv sync -q
+	# CycloneDX
 	uv run cyclonedx-py requirements \
 		--pyproject pyproject.toml -o compliance/sbom-cyclonedx.json \
 		compliance/requirements-prod.txt
+	# Add license information
+	uv run lbom \
+		--input_file compliance/sbom-cyclonedx.json \
+		> compliance/sbom-lbom.json
+	mv compliance/sbom-lbom.json compliance/sbom-cyclonedx.json
+	# SPDX
+	sbom4python -r compliance/requirements-prod.txt \
+		--sbom spdx --format json \
+		-o compliance/sbom-spdx.json
 
 ## Activate pre-commit hook
 activate-pre-commit:

diff --git a/compliance/README.md b/compliance/README.md
@@ -0,0 +1,34 @@
+# Compliance Directory
+
+This directory contains files related to software compliance, dependency management, and security. Below is an overview of the files:
+
+## Files
+
+These files are automatically generated by the `make generate-sbom` command.
+
+### `sbom-cyclonedx.json`
+- **Description:** SBOM in CycloneDX format, detailing components and dependencies.
+- **Use Case:** Supply chain security and compliance audits with the CycloneDX ecosystem.
+
+### `sbom-spdx.json`
+- **Description:** SBOM in SPDX format for license tracking and compliance.
+- **Use Case:** Licensing audits and interoperability with SPDX tools.
+
+### `requirements-full.txt`
+- **Description:** Comprehensive list of all dependencies for all environments.
+- **Use Case:** Provided for reference and when using certains tools. The recommended approach is to use `uv sync` to manage dependencies.
+
+### `requirements-prod.txt`
+- **Description:** Minimal list of dependencies for production.
+- **Use Case:** Provided for reference and when using certains tools. The recommended approach is to use `pip install .` to manage dependencies.
+
+## Usage and Best Practices
+
+- Regularly update SBOMs and dependency files.
+- Use security tools (e.g., Dependency-Track) for audits.
+- Validate SBOMs with, e.g.:
+  ```bash
+  cyclonedx-cli validate --input-file sbom-cyclonedx.json
+  spdx-tool verify sbom-spdx.json
+  ```
+  (Note: this needs third-party tools to be installed.)
diff --git a/compliance/requirements-full.txt b/compliance/requirements-full.txt
@@ -0,0 +1,168 @@
+abilian-devtools==0.7.4
+alembic==1.14.0
+argcomplete==3.5.1
+arrow==1.3.0
+asttokens==2.4.1
+attrs==24.2.0
+bandit==1.8.0
+beartype==0.19.0
+binaryornot==0.4.4
+black==24.10.0
+blinker==1.9.0
+boolean-py==4.0
+cachecontrol==0.14.1
+cachetools==5.5.0
+certifi==2024.8.30
+cfgv==3.4.0
+chardet==5.2.0
+charset-normalizer==3.4.0
+cleez==0.1.13
+click==8.1.7
+cognitive-complexity==1.3.0
+colorlog==6.9.0
+coverage==7.6.8
+cyclonedx-bom==4.6.1
+cyclonedx-python-lib==7.6.2
+defusedxml==0.7.1
+deptry==0.21.1
+devtools==0.12.2
+distlib==0.3.9
+dlint==0.16.0
+docformatter==1.7.5
+durationpy==0.9
+execnet==2.1.1
+executing==2.1.0
+filelock==3.16.1
+flake8==7.1.1
+flake8-assertive==2.1.0
+flake8-bandit==4.1.1
+flake8-breakpoint==1.1.0
+flake8-cognitive-complexity==0.1.0
+flake8-datetimez==20.10.0
+flake8-ecocode==0.1.3
+flake8-functions==0.0.8
+flake8-if-expr==1.0.4
+flake8-isort==6.1.1
+flake8-logging-format==2024.24.12
+flake8-mutable==1.2.0
+flake8-no-pep420==2.8.0
+flake8-pep3101==2.1.0
+flake8-pep585==0.1.7
+flake8-pep604==1.1.0
+flake8-plugin-utils==1.3.3
+flake8-pytest==1.4
+flake8-pytest-style==2.0.0
+flake8-super==0.1.3
+flake8-super-call==1.0.0
+flake8-tidy-imports==4.11.0
+flake8-tuple==0.4.1
+flasgger==0.9.7.1
+flask==3.1.0
+flask-sqlalchemy==3.1.1
+fqdn==1.5.1
+git-cliff==2.7.0
+google-auth==2.36.0
+gurobipy==12.0.0
+html5lib==1.1
+identify==2.6.3
+idna==3.10
+iniconfig==2.0.0
+invoke==2.2.0
+isoduration==20.11.0
+isort==5.13.2
+itsdangerous==2.2.0
+jinja2==3.1.4
+jsonpointer==3.0.0
+jsonschema==4.23.0
+jsonschema-specifications==2024.10.1
+kubernetes==31.0.0
+lbom==0.6
+lib4package==0.2.0
+lib4sbom==0.7.5
+license-expression==30.4.0
+lxml==5.3.0
+mako==1.3.6
+markdown-it-py==3.0.0
+markupsafe==3.0.2
+mccabe==0.7.0
+mdurl==0.1.2
+mistune==3.0.2
+mr-proper==0.0.7
+msgpack==1.1.0
+mypy==1.13.0
+mypy-extensions==1.0.0
+nodeenv==1.9.1
+nox==2024.10.9
+oauthlib==3.2.2
+packageurl-python==0.16.0
+packaging==24.2
+pathspec==0.12.1
+pbr==6.1.0
+pip==24.3.1
+pip-api==0.0.34
+pip-audit==2.7.3
+pip-requirements-parser==32.0.1
+platformdirs==4.3.6
+pluggy==1.5.0
+pre-commit==4.0.1
+profilehooks==1.13.0
+psycopg2-binary==2.9.10
+py-serializable==1.1.2
+pyasn1==0.6.1
+pyasn1-modules==0.4.1
+pycodestyle==2.12.1
+pyflakes==3.2.0
+pygments==2.18.0
+pyparsing==3.2.0
+pyright==1.1.389
+pytest==8.3.3
+pytest-archon==0.0.6
+pytest-beartype==0.2.0
+pytest-cov==6.0.0
+pytest-random-order==1.1.1
+pytest-xdist==3.6.1
+python-dateutil==2.9.0.post0
+python-debian==0.1.49
+python-dotenv==1.0.1
+python-magic==0.4.27
+pyyaml==6.0.2
+referencing==0.35.1
+requests==2.32.3
+requests-oauthlib==2.0.0
+requirements-parser==0.11.0
+reuse==5.0.2
+rfc3339-validator==0.1.4
+rfc3987==1.3.8
+rich==13.9.4
+rpds-py==0.21.0
+rsa==4.9
+ruff==0.8.0
+sbom2dot==0.3.1
+sbom4files==0.4.4
+sbom4python==0.11.3
+semantic-version==2.10.0
+setuptools==75.6.0
+six==1.16.0
+smo==0.1.0
+sortedcontainers==2.4.0
+sqlalchemy==2.0.36
+stdlib-list==0.11.0
+stevedore==5.4.0
+termcolor==2.5.0
+toml==0.10.2
+tomlkit==0.13.2
+typeguard==4.4.1
+types-python-dateutil==2.9.0.20241003
+types-pyyaml==6.0.12.20240917
+types-requests==2.32.0.20241016
+types-setuptools==75.6.0.20241126
+typing-extensions==4.12.2
+untokenize==0.1.1
+uri-template==1.3.0
+urllib3==2.2.3
+virtualenv==20.28.0
+vulture==2.13
+webcolors==24.11.1
+webencodings==0.5.1
+websocket-client==1.8.0
+werkzeug==3.1.3
diff --git a/compliance/requirements-prod.txt b/compliance/requirements-prod.txt
@@ -6,6 +6,7 @@ cachetools==5.5.0
 certifi==2024.8.30
 charset-normalizer==3.4.0
 click==8.1.7
+defusedxml==0.7.1
 devtools==0.12.2
 durationpy==0.9
 executing==2.1.0
@@ -20,6 +21,8 @@ jinja2==3.1.4
 jsonschema==4.23.0
 jsonschema-specifications==2024.10.1
 kubernetes==31.0.0
+lib4package==0.2.0
+lib4sbom==0.7.5
 mako==1.3.6
 markupsafe==3.0.2
 mistune==3.0.2
@@ -31,12 +34,17 @@ pyasn1-modules==0.4.1
 pygments==2.18.0
 python-dateutil==2.9.0.post0
 python-dotenv==1.0.1
+python-magic==0.4.27
 pyyaml==6.0.2
 referencing==0.35.1
 requests==2.32.3
 requests-oauthlib==2.0.0
 rpds-py==0.21.0
 rsa==4.9
+sbom2dot==0.3.1
+sbom4files==0.4.4
+sbom4python==0.11.3
+semantic-version==2.10.0
 six==1.16.0
 smo==0.1.0
 sqlalchemy==2.0.36