When creating a Software Bill of Materials (SBOM) for your Python application, one of the best tools to use is Syft.
Recommended Tool: Syft
Syft is a CLI tool and Go library for generating Software Bill of Materials (SBOM) from container images and filesystems. Our Timesys embedded experts tested Syft within a Python ecosystem to determine how well Syft held up in producing a well-rounded SBOM.
In our testing, a 1.4 CycloneDX SBOM generated by Syft was the most well-formed SBOM found.
- In our testing, Syft correctly identifies and reported the expected packages
- Virtual environments can be scanned for packages in addition to specifying a requirements.txt file
- Syft is able to identify licenses for packages when creating a SBOM from a project source or directory scan
- Syft SBOMs contain CPE and PURL data to improve the accuracy of vulnerability identification
- Correctly identifies and reports all the packages from pip requirements.txt files.
- Can scan and report all Python packages installed in a Python virtual environment by passing the related directory.
- Accurately reports Python package versions in both types of scan (requirements.txt and source/directory scan).
- Reports licenses of most of the packages from a project source/directory scan
- SBOM contains CPE and PURL data
Python package fields reported in a CycloneDX SBOM (source/directory scan with JSON o/p file format)
At the time of this evaluation, Syft did not generate a NTIA-compliant SBOM. Below are the missing fields for NTIA compliance from a cycloneDX source/directory scan with JSON format SBOM.
- Dependency relationships
Syft generates valid SBOMs for the below industry standard SBOM formats, versions, and file formats.
|Supported SBOM formats||Versions||File formats|
|SPDX||2.2, 2.3||JSON, tag-value|
Ease of use
- Adequate documentation is available on github to set up and use the tool.
- Short setup time – directly Syft binaries could be downloaded from github for Windows and Linux operating systems.
- Quick SBOM generation time – could vary from less than a minute to a few minutes
- Active community support – Out of the tools evaluated, Syft has maximum popularity (4.7k* stars, 432* forks, and 150* releases on github) and is in active development.
* at the time of writing this blog
Besides Python, Syft supports multiple ecosystems. See this link for the complete list. It can perform both directory scans as well as Python requirements.txt scans.
The below SBOM generation tools are better than Syft for the listed use cases:
- Cyclone-dx-python – Python package licenses identification
- Microsoft’s sbom-tool– Maximum number of package fields in the SBOM
Though Syft supports both SPDX and CycloneDX SBOM formats and can perform directory and requirements.txt scan, it’s better at directory scan with CycloneDX output.
- Python packages installed as dependencies of requirements.txt packages are also populated in the SBOM
- Package licenses are also reported which are missing in the requirements.txt scan
- Syft (version – 0.75.0)
- cyclonedx-python (version – 11.0)
- cdxgen (version – 2.0)
- sbom-tool (version – 0.3.3)
- Syft – https://github.com/anchore/Syft
- Cyclonedx-python – https://github.com/CycloneDX/cyclonedx-python
- cdxgen – https://github.com/CycloneDX/cdxgen
- Sbom-tool – https://github.com/microsoft/sbom-tool