AWS inspector documentation change
Summary
Added Swift dependency scanning support and expanded Python scan paths to include user-level installations
Security assessment
Added Swift Package Manager scanning capability and expanded Python path coverage to detect more dependencies. While this improves SBOM completeness (a security control), there's no evidence of addressing a specific vulnerability. The changes enhance security tooling documentation but don't reference patching vulnerabilities.
Diff
diff --git a/inspector/latest/user/sbom-generator-dependency-collection.md b/inspector/latest/user/sbom-generator-dependency-collection.md index 4d30add0e..f0283130b 100644 --- a//inspector/latest/user/sbom-generator-dependency-collection.md +++ b//inspector/latest/user/sbom-generator-dependency-collection.md @@ -7 +7 @@ -Go dependency scanningJava dependency scanningJavaScript dependency scanning.NET dependency scanningPHP dependency scanningPython dependency scanningRuby dependency scanningRust dependency scanningUnsupported artifacts +Go dependency scanningJava dependency scanningJavaScript dependency scanning.NET dependency scanningPHP dependency scanningPython dependency scanningRuby dependency scanningRust dependency scanningSwift dependency scanningUnsupported artifacts @@ -958,0 +959,15 @@ For globally installed Python packages, the Amazon Inspector SBOM Generator supp +###### Expanded default scan paths (Sbomgen 1.13.0 and later) + +In Amazon Inspector SBOM Generator release 1.13.0 and later, the scanner's default localhost scan paths were expanded to include user-level `pip` installs (`pip install --user`) and installs produced by the `uv tool install` command. This enables detection of Python packages that are installed outside system-wide `site-packages`, including frameworks such as CrewAI whose recommended install method is `uv tool install crewai`. + +Added default scan paths: + + * Linux – `/home/*/.local/lib/python*/site-packages/`, `/home/*/.local/share/uv/tools/*/lib/python*/site-packages/` (with `/root/` equivalents for containers running as root). + + * Windows – `%APPDATA%\Python\Python*\Lib\site-packages\`, `%LOCALAPPDATA%\uv\tools\*\Lib\site-packages\`. + + + + +For non-default Python install prefixes on any platform, use the `--path` argument to point the scanner at the install location. + @@ -1182,0 +1198,108 @@ This file produces an output that contains a package URL. This URL can be used t +## Swift dependency scanning + +Programming language | Package manager | Supported artifacts | Toolchain support | Development dependencies | Transitive dependencies | Private flag | Recursively +---|---|---|---|---|---|---|--- +`Swift` | `Swift Package Manager` | `Package.resolved (v1, v2, and v3)` | N/A | N/A | N/A | N/A | Yes + +### Package.resolved + +The `Package.resolved` file is generated by Swift Package Manager to lock exact versions of dependencies for a Swift project. The Amazon Inspector SBOM Generator parses this file to collect dependency names, versions, and source repository information. Schema versions 1, 2, and 3 of the `Package.resolved` format are supported. + +###### Note + +The Amazon Inspector SBOM Generator does not generate the `Package.resolved` file. If your project does not already contain a `Package.resolved` file, you must generate it before scanning by running `swift package resolve` in your project directory. + +###### Supported artifacts + + * `Package.resolved` (schema version 1) + + * `Package.resolved` (schema version 2) + + * `Package.resolved` (schema version 3) + + + + +###### Key features + + * Extracts dependency names and locked versions from pinned packages + + * Derives the package namespace from the source repository URL (for example, `github.com/Alamofire`) + + * Skips branch-only pins that don't have a resolved version + + * Filters out local source control and file system dependencies + + * Excludes `Package.resolved` files inside `.build/` directories to prevent collecting dependencies from the Swift Package Manager build cache + + + + +###### Note + +The `Package.resolved` file is platform-independent. The Amazon Inspector SBOM Generator discovers this file recursively on Linux, macOS, and Windows. + +###### Example `Package.resolved` file (v2) + +The following is an example of a version 2 `Package.resolved` file. + + + { + "pins" : [ + { + "identity" : "alamofire", + "kind" : "remoteSourceControl", + "location" : "https://github.com/Alamofire/Alamofire.git", + "state" : { + "revision" : "a1b2c3...", + "version" : "5.8.1" + } + }, + { + "identity" : "swift-argument-parser", + "kind" : "remoteSourceControl", + "location" : "https://github.com/apple/swift-argument-parser.git", + "state" : { + "revision" : "d4e5f6...", + "version" : "1.3.0" + } + } + ], + "version" : 2 + } + + +###### Example `Package.resolved` file (v1) + +The following is an example of a version 1 `Package.resolved` file. + + + { + "object": { + "pins": [ + { + "package": "Alamofire", + "repositoryURL": "https://github.com/Alamofire/Alamofire.git", + "state": { + "branch": null, + "revision": "a1b2c3...", + "version": "5.8.1" + } + } + ] + }, + "version": 1 + } + + +###### Example PURL + +The following is an example package URL for a Swift Package Manager dependency. + + + pkg:swift/github.com/Alamofire/[email protected] + +###### Note + +Each of these files produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the [ScanSbom](https://docs.aws.amazon.com/inspector/v2/APIReference/API_inspector-scan_ScanSbom.html) API. For more information, see [package-url](https://github.com/package-url/purl-spec) on the GitHub Website. +