Use Syft for generating SBOM

[svenseeberg]

Short description

Use Syft for generating SBOM. Syft can also fetch license information for used Python packages.

Proposed changes

• Replace sbom-tool with syft.

Side effects

• We need to test the pipeline again.

Faithfulness to issue description and design

🚀

How to test

Run the pipeline ... or commands in your shell.

curl -sSfL https://get.anchore.io/syft | sudo sh -s -- -b /usr/local/bin
export SYFT_SOURCE_VERSION=$(python3 -c "import integreat_cms; print(integreat_cms.__version__)")
export SYFT_SOURCE_NAME="integreat-cms"
export SYFT_FORMAT_SPDX_JSON_PRETTY=true
syft scan . -o spdx-json=integreat_cms/_manifest/spdx_2.2/manifest.spdx.json

---

Pull Request Review Guidelines

[JoeyStk]

Thank you very much!
I think we have to refactor the overview of open-source packages after this PR, but I think it's great that it contains the actual license :)

We're currently in merge freeze. I'd suggest to merge this by the end of the week :)

[PeterNerlich]

I'm not sure how comfortable I am with merging this. Yes, this is "just" the SBOM for our project and no load bearing functionality for the project itself. But it will run in our pipeline for every release and every commit/push on develop. I'd rather like to understand it a little more.

When running syft locally – whether I have the venv activated or not – I get a different structure of the json manifest (1.33.0-1 installed via pacman, though syft --version reports [not provided], which I hope is not critical, the behaviour should be the same). I made sure to have a cleanly installed virtual environment.

Also, I'm astounded by your version referencing packages for a venv with python3.13:

-   "sourceInfo": "acquired package info from installed python package manifest file: /.venv/lib/python3.13/site-packages/aiosignal-1.4.0.dist-info/METADATA, /.venv/lib/python3.13/site-packages/aiosignal-1.4.0.dist-info/RECORD, /.venv/lib/python3.13/site-packages/aiosignal-1.4.0.dist-info/top_level.txt",
+   "sourceInfo": "acquired package info from installed python package manifest file: /.venv/lib/python3.11/site-packages/aiosignal-1.3.1.dist-info/METADATA, /.venv/lib/python3.11/site-packages/aiosignal-1.3.1.dist-info/RECORD, /.venv/lib/python3.11/site-packages/aiosignal-1.3.1.dist-info/top_level.txt",

Meanwhile I fail to install all dependencies when specifying python3.13

[…]
INFO: pip is looking at multiple versions of integreat-cms[dev-pinned,pinned] to determine which version is compatible with other requirements. This could take a while.
ERROR: Ignored the following versions that require a different python version: 1.3.4 Requires-Python >=3.7,<3.11; 1.3.5 Requires-Python >=3.7,<3.11; 1.3.5.dev4 Requires-Python >=3.7,<3.11; 1.3.6 Requires-Python >=3.7,<3.12; 1.3.6.dev1 Requires-Python >=3.7,<3.12; 1.3.7 Requires-Python >=3.7,<3.12; 1.4.0 Requires-Python >=3.7,<3.12; 1.4.0.dev0 Requires-Python >=3.7,<3.12; 1.4.0a0 Requires-Python >=3.7,<3.12; 1.4.0a1 Requires-Python >=3.7,<3.12; 1.4.0b0 Requires-Python >=3.7,<3.12; 1.4.0b1 Requires-Python >=3.7,<3.12; 1.4.1 Requires-Python >=3.7,<3.12; 1.4.2 Requires-Python >=3.7,<3.12; 1.4.3 Requires-Python >=3.7,<3.12; 1.4.3b0 Requires-Python >=3.7,<3.12; 1.4.3b1 Requires-Python >=3.7,<3.12; 1.4.4 Requires-Python >=3.7,<3.12; 1.4.5 Requires-Python >=3.7,<3.12; 2.0.0a0 Requires-Python >=3.7,<3.12; 2.0.0a1 Requires-Python >=3.7,<3.12; 2.0.0a3 Requires-Python >=3.7,<3.12; 2.0.0b0 Requires-Python >=3.7,<3.12
ERROR: Could not find a version that satisfies the requirement pytest-testmon==1.4.5; extra == "dev-pinned" (from integreat-cms[dev-pinned,pinned]) (from versions: 0.4.9, 0.5, 0.6, 0.7, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.9.0, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 0.9.10, 0.9.11, 0.9.12, 0.9.13, 0.9.14, 0.9.15, 0.9.16, 0.9.18, 0.9.19, 1.0.0a1, 1.0.0a2, 1.0.0a3, 1.0.0a4, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0rc0, 1.3.0rc2, 1.3.0rc3, 1.3.0, 1.3.1, 1.3.3, 2.0.0b1, 2.0.0b2, 2.0.0, 2.0.1, 2.0.2, 2.0.5, 2.0.6, 2.0.7b1, 2.0.7b3, 2.0.7, 2.0.8, 2.0.9, 2.0.10.dev0, 2.0.11, 2.0.12, 2.0.13, 2.0.14.dev0, 2.0.14, 2.0.15, 2.1.0.dev2, 2.1.0, 2.1.1.dev0, 2.1.1, 2.1.3, 2.1.4)

[notice] A new release of pip is available: 25.2 -> 25.3
[notice] To update, run: pip install --upgrade pip
ERROR: No matching distribution found for pytest-testmon==1.4.5; extra == "dev-pinned"

I'm attaching the full diff I get here: syft.patch

[svenseeberg]

When running syft locally – whether I have the venv activated or not – I get a different structure of the json manifest __

Interesting, I don't. Except for timestamps and metadata:

% export SYFT_SOURCE_VERSION=$(python3 -c "import integreat_cms; print(integreat_cms.__version__)")
% export SYFT_SOURCE_NAME="integreat-cms"
% export SYFT_FORMAT_SPDX_JSON_PRETTY=true
% deactivate
% source .venv/bin/activate
% syft scan . -o spdx-json=integreat_cms/_manifest/spdx_2.2/manifest.spdx.json
 ✔ Indexed file system                                                                                                                            . 
 ✔ Cataloged contents                                                              7c1513eb534c4236b76855e7ced686e1914d87b4192014385568c8496ac0ed39 
   ├── ✔ Packages                        [186 packages]  
   ├── ✔ Executables                     [78 executables]  
   ├── ✔ File metadata                   [2,752 locations]  
   └── ✔ File digests                    [2,752 files]  
syft scan . -o spdx-json=integreat_cms/_manifest/spdx_2.2/manifest.spdx.json  8,75s user 1,15s system 166% cpu 5,960 total
% deactivate 
% syft scan . -o spdx-json=integreat_cms/_manifest/spdx_2.2/manifest.spdx.json2
 ✔ Indexed file system                                                                                                                            . 
 ✔ Cataloged contents                                                              7c1513eb534c4236b76855e7ced686e1914d87b4192014385568c8496ac0ed39 
   ├── ✔ Packages                        [186 packages]  
   ├── ✔ Executables                     [78 executables]  
   ├── ✔ File metadata                   [2,752 locations]  
   └── ✔ File digests                    [2,752 files]  
syft scan . -o spdx-json=integreat_cms/_manifest/spdx_2.2/manifest.spdx.json2  9,12s user 1,22s system 166% cpu 6,220 total
% diff integreat_cms/_manifest/spdx_2.2/manifest.spdx.json integreat_cms/_manifest/spdx_2.2/manifest.spdx.json2 
6c6
<  "documentNamespace": "https://anchore.com/syft/dir/integreat-cms-52844a02-659e-412c-9914-91bdb2a4c896",
---
>  "documentNamespace": "https://anchore.com/syft/dir/integreat-cms-c3fe478c-722a-464f-9b42-dc53564c7ecf",
13c13
<   "created": "2025-11-11T14:50:39Z"
---
>   "created": "2025-11-11T14:50:53Z"
15349c15349
<     "packageVerificationCodeValue": "870f75b8882b21ccc0c716b2dded846f96d5d577"
---
>     "packageVerificationCodeValue": "bbb7a7e5be1da5a4dcf7d2af3748b6188638c74a"
36493c36493
<     "OTHER"
---
>     "APPLICATION"
36498c36498,36502
<      "checksumValue": "0000000000000000000000000000000000000000"
---
>      "checksumValue": "fc754dbc87b8f29718289dfb5429f20e781e6610"
>     },
>     {
>      "algorithm": "SHA256",
>      "checksumValue": "0355067fa20965f5b35b74c54a54c21b5737b9140080af7cdc29e3615fcb82f2"

Also, I'm astounded by your version referencing packages for a venv with python3.13:

I've been developing on 3.13 since I opened #3837 in August.

Meanwhile I fail to install all dependencies when specifying python3.13

In the end I suppose thats a question for #3837, right? ^^

[svenseeberg]

I'm attaching the full diff I get here: syft.patch

Not really sure whats going on in your env. I see quite a lot of .exe files, which does not look that useful 👾

I'd rather like to understand it a little more.

You can also take a look at the lunes-cms repo, where it is already deployed. The result is included in the latest release: https://pypi.org/project/lunes-cms/2025.11.0/#files

[hannaseithe]

Sorry, for the potentially naive question but I don't understand why you commit a SBOM that has been generated locally by you with python3.13, when the environment on CircleCI still uses python 3.11? The SBOM we include in the package is the one generated on CircleCI, correct? Do we need it committed in the repo at all?

[svenseeberg]

Do we need it committed in the repo at all?

No, having the file in the repo is not strictly necessary. Its mostly a placeholder for development purposes, for example for the license view. Alternatively, it could be generated when executing the run.sh.

I suggest to commit it and update it from time to time, for example when dependencies are bumped.

[JoeyStk]

One known side effect of this PR is going to be that the page of open source breaks (KeyError). If I can manage I'll try to add a commit just here, if not I'll do it in a separate PR (but same release)

[svenseeberg]

@hannaseithe and I discussed yesterday that I remove the json file from this PR and we update it later from the latest test.pypi.org release.

[svenseeberg]

The PR is updated.

[PeterNerlich]

@hannaseithe and I discussed yesterday that I remove the json file from this PR and we update it later from the latest test.pypi.org release.

Did you also mean to remove the sha256 or is keeping it intentional?

[svenseeberg]

Did you also mean to remove the sha256 or is keeping it intentional?

Intentional, as it will no longer be generated with Syft.

[svenseeberg]

One known side effect of this PR is going to be that the page of open source breaks (KeyError). If I can manage I'll try to add a commit just here, if not I'll do it in a separate PR (but same release)

Which key is missing?

[JoeyStk]

KeyError at /open-source-licenses/ 'externalRefs'

Details

        packages = data["packages"]

        for package in packages:

            package["versionInfo"] = (

                package["versionInfo"] if package["versionInfo"] else "N/A"

            )

            package["url"] = self.create_url_from_reference_locator(

                package["externalRefs"][0]["referenceLocator"]
                    ^^^^^^^^^^^^^^^^^^^^^^^

 …

            )

        return {

            "packages": packages,

        }

[svenseeberg]

Thanks, I was just looking 😂 at the same moment. Let me see how we can fix that.

[svenseeberg]

Still needs a translation, but the problem should be fixed.

[JoeyStk]

Thank you very much! This seems to fix the issue for me! 🚀

I think it could be helpful to the second reviewer if we could rebase this branch again, so everything is update :)

[hannaseithe]

@hannaseithe and I discussed yesterday that I remove the json file from this PR and we update it later from the latest test.pypi.org release.

But now the SBOM is still there. Only the hash file is gone. I am confused.

EDIT: Or is it that you want to keep this as a standin for testing purposes, until we overwrite it with the SBOM from the released package?

[svenseeberg]

EDIT: Or is it that you want to keep this as a standin for testing purposes, until we overwrite it with the SBOM from the released package?

Yes, exactly this. Its already committed to the develop branch. I see no point in removing it temporarily as it breaks the dev setup for the license view.

[hannaseithe]

This looks good to me now. Thank you :)