Add Software Bill-of-Materials (SBOM) documents and user guide to python.org/downloads #2339
Description
As a part of python/cpython#112302, the Software Bill-of-Materials documents should be downloadable per-artifact on python.org/downloads
- One format for now, we can add the other if someone asks. Scanners should all support both formats.
- Create a new column for each artifact
- Naming according to OpenSSF guide on SBOM naming (ie
<artifact-name>.spdx.jsonor<artifact-name>.cdx.json)
- Naming according to OpenSSF guide on SBOM naming (ie
- User documentation on how to get SBOM documents for their corresponding Python release.
- Third-party distributions should provide their own SBOMs, potentially using ours as a base.
- User documentation on how to use a scanner with our SBOM to detect vulnerabilities in their version of Python (ie, with our OSV vuln data and CVE vuln data)
- User documentation on how to use VEX to avoid false-positives and get up-to-date vulnerability remediation information.
- We only need one VEX document per Python release since we can reference dependencies within different SBOMs from a single VEX document (although we'll need to duplicate statements to do this? But I don't see another way right now). The VEX document can live in the PSF Advisory Database.