The initial SBOM for vendored dependencies in the CPython source code along with tooling to ensure the SBOM is kept up-to-date with changes to dependencies has been merged (thanks @hugovk for reviews!)
I’ve created several other tracking issues which may be of interest to folks:
- Add Software Bill-of-Materials (SBOM) documents and user guide to python.org/downloads
- Create instructions for how to upgrade dependencies and keep SBOM up-to-date
- Add Software Bill-of-Materials for Windows source dependencies
- Add Vulnerability Exchange (VEX) statements for CPython SBOMs to reference