This critical role would not be possible without funding from the OpenSSF Alpha-Omega Project. Massive thank-you to Alpha-Omega for investing in the security of the Python ecosystem!
I've started dipping my toes into creating an authoritative SBOM for the CPython project, you can follow along in this GitHub repository if you are interested. This project is very early and this will not be the final product or place where this information is published, this is only a place to experiment and get feedback on the approach and outputs before putting the final infrastructure in place.
I started with the most straightforward release artifact, the source tarball, and I am planning to tackle the binary installers
later since they'll require more research into the release processes. There is a work-in-progress SBOM file for
available in the
sboms/ directory on the repository.
I've also included an SBOM for CPython 3.11.0 which can be used to see whether vulnerability scanning tools are capable of consuming the result SBOM and flagging subcomponents for vulnerabilities. I used Grype as an example for this, and indeed it was able to consume the SBOM and flag the known vulnerabilities:
$ grype sbom:sboms/Python-3.11.0.tgz.spdx.json ✔ Vulnerability DB [updated] ✔ Scanned for vulnerabilities [9 vulnerability matches] ├── by severity: 0 critical, 6 high, 3 medium, 0 low, 0 negligible └── by status: 0 fixed, 9 not-fixed, 0 ignored NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY CPython 3.11.0 CVE-2023-41105 High CPython 3.11.0 CVE-2023-36632 High CPython 3.11.0 CVE-2023-24329 High CPython 3.11.0 CVE-2022-45061 High CPython 3.11.0 CVE-2023-40217 Medium CPython 3.11.0 CVE-2023-27043 Medium CPython 3.11.0 CVE-2007-4559 Medium expat 2.4.7 CVE-2022-43680 High expat 2.4.7 CVE-2022-40674 High
The tool was able to see not only vulnerabilities in CPython but also in the expat subcomponent. Without an SBOM the expat subcomponent wouldn't be detected by current versions of Grype. Running Grype on the CPython 3.11.5 SBOM results in zero known vulnerabilities. 🥳
$ grype sbom:sboms/Python-3.11.5.tgz.spdx.json ✔ Vulnerability DB [no update available] ✔ Scanned for vulnerabilities [0 vulnerability matches] ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible └── by status: 0 fixed, 0 not-fixed, 0 ignored No vulnerabilities found
Now all CPython releases that have Sigstore verification materials have
.sigstore files) instead of the "disjoint verification materials" (ie
These new bundles have been back-filled from existing verification materials using new
in the Python Sigstore client. Thanks to Łukasz Langa for verifying the new bundles and publishing them to python.org.
Now that all releases have bundles available, I've also updated the Sigstore verification instructions on python.org to only reference bundles:
$ python -m sigstore verify identity \ --bundle Python-3.11.0.tgz.sigstore \ --cert-identity firstname.lastname@example.org \ --cert-oidc-issuer https://accounts.google.com \ Python-3.11.0.tgz
Having bundles means one less file to download to verify a signature and that verification doesn't need to query the transparency log, instead relying on the entry embedded within the bundle.
pip has merged the pull request to bundle Truststore into pip, so it's no longer required to "bootstrap" Truststore in order to have support for using system certificates. This feature will be coming in pip v23.3.
I spent some time developing a small GitHub App that would add the PSRT GitHub team to all newly created GitHub Security Advisories and have something that works in-theory.
Unfortunately, there's currently no way to get webhook events for the creation of draft GitHub Security Advisories, you can only get a webhook for when security reports are filed. This means that anyone with access to GitHub Security Advisories (ie organization or repository admins) wouldn't trigger the GitHub App action to add the PSRT team.
Since I've just passed 3 months in this role (time sure does fly!) I am drafting a summarized update for my work in 2023 Q3 that will be published to the Python Software Foundation blog. Subscribe to the blog via RSS or other social media platform to get notified.
Don't let social media algorithms decide what you want to see.
This work is licensed under