Opened 8 weeks ago
#8136 new enhancement
SBOM - Software Bill of Materials to automate license validation and vulnerability/security notifications
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Component: | Theme Review | Keywords: | |
| Cc: |
Description
There are some ongoing initiatives about software requiring a SBOM - a list of included/bundled 3rd party code.
If/how/when this applies to open-source is unclear, however I think this is an initiative that would actually make reviewing plugins and themes for the directory easier.
Additionally, this would also contribute to WP security, since notifying plugins/themes that contain 3rd party code with vulnerabilities would be much easier/faster/automated, since it's structured data.
There are tools available that automatically create these (e.g. https://github.com/CycloneDX/cyclonedx-php-composer) and they have an essentially standarized format https://cyclonedx.org/docs/1.7/json/
e.g. https://github.com/CycloneDX/bom-examples/blob/master/SBOM/protonmail-webclient-v4-0912dff/bom.json
Additionally, there are tools for both composer and npm to warn/restrict to specific licenses in the first place, to ensure people won't accidentally end up using a non-copmatible license.
I am not familiar with the current plugin/theme review process and only found an seemingly old link https://make.wordpress.org/themes/handbook/get-involved/onboarding-for-new-reviewers/licensing-both-easy-and-difficult/ which stresses this and makes it look like checking licenses is a manual process?
Which obviously will result in an oversight from time to time e.g. https://wordpress.org/plugins/woocommerce-paypal-payments/ is released as GPLv2 but includes Apache 2.0 licensed JS which is incompatible with GPLv2 (needs GPLv3)
Is this something you think would make sense?
How would you go about implementing it?
I think there are 2 parts:
1) at least documentation on how to create the SBOM using existing tools (composer, npm,...) at "worst" a plugin (or WP CLI command?) that creates the SBOM for a plugin (similar to the wp cli i18n commands?)
2) integration in the theme review process to automatically validate the readme.txt/plugin License: header against the bom.json provided
(in the best case: automatically/CI using the WP CLI command of 1) to generate the SBOM upon submission of the plugin)