ENH: adopt PEP 770, add SBOM to wheel

.gitattributes

@@ -78,5 +78,6 @@ environment.yml export-ignore
 # exclude the whole directory to avoid running related tests in sdist
 pandas/tests/io/parser/data export-ignore
 
-# Include cibw script in sdist since it's needed for building wheels
+# Include cibw script and the SBOM generator in sdist
 scripts/cibw_before_build.sh -export-ignore
+scripts/generate_sbom.py -export-ignore

.github/workflows/wheels.yml

@@ -145,6 +145,16 @@ jobs:
       - name: Validate wheel RECORD
         run: for whl in $(ls wheelhouse); do wheel unpack wheelhouse/$whl -d /tmp; done
 
+      - name: Validate SBOM (PEP 770)
+        shell: bash -el {0}
+        run: |
+          pip install check-jsonschema
+          for whl in wheelhouse/*.whl; do
+            echo "Validating SBOM in $whl..."
+            unzip -p "$whl" "*/sboms/pandas.cdx.json" > /tmp/sbom.json
+            check-jsonschema --schemafile "https://cyclonedx.org/schema/bom-1.6.schema.json" /tmp/sbom.json
+          done
+
       - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: ${{ matrix.python[0] }}-${{ matrix.buildplat[1] }}

LICENSES/vendored.toml

@@ -0,0 +1,108 @@
+# Vendored components manifest for SBOM generation
+# This file documents code that pandas has derived from or incorporates from other projects.
+# Used by scripts/generate_sbom.py to generate CycloneDX SBOM for PEP 770 compliance.
+#
+# License field supports:
+#   - Single SPDX ID: "MIT"
+#   - SPDX expression for dual-license: "Apache-2.0 OR BSD-3-Clause"
+
+[[component]]
+name = "numpy"
+license = "BSD-3-Clause"
+license_file = "NUMPY_LICENSE"
+description = "Derived algorithms and array handling code"
+purl = "pkg:pypi/numpy"
+website = "https://numpy.org"
+
+[[component]]
+name = "bottleneck"
+license = "BSD-2-Clause"
+license_file = "BOTTLENECK_LICENCE"
+description = "Derived reduction algorithms"
+purl = "pkg:pypi/bottleneck"
+website = "https://github.com/pydata/bottleneck"
+
+[[component]]
+name = "python-dateutil"
+# BSD applies to all code; Apache applies to contributions after 2017-12-01
+license = "Apache-2.0 AND BSD-3-Clause"
+license_file = "DATEUTIL_LICENSE"
+description = "Derived date parsing routines"
+purl = "pkg:pypi/python-dateutil"
+website = "https://github.com/dateutil/dateutil"
+
+[[component]]
+name = "klib"
+license = "MIT"
+license_file = "KLIB_LICENSE"
+description = "Derived hash table implementation (khash)"
+purl = "pkg:github/attractivechaos/klib"
+website = "https://github.com/attractivechaos/klib"
+
+[[component]]
+name = "musl"
+license = "MIT"
+license_file = "MUSL_LICENSE"
+description = "Derived ASCII character classification functions (isdigit, isspace, etc.)"
+purl = "pkg:generic/musl"
+website = "https://musl.libc.org"
+
+[[component]]
+name = "pyperclip"
+license = "BSD-3-Clause"
+license_file = "PYPERCLIP_LICENSE"
+description = "Derived clipboard utilities"
+purl = "pkg:pypi/pyperclip"
+website = "https://github.com/asweigart/pyperclip"
+
+[[component]]
+name = "sas7bdat"
+license = "MIT"
+license_file = "SAS7BDAT_LICENSE"
+description = "Derived SAS file reader code"
+purl = "pkg:pypi/sas7bdat"
+website = "https://github.com/jaredhobbs/sas7bdat"
+
+[[component]]
+name = "pyupgrade"
+license = "MIT"
+license_file = "PYUPGRADE_LICENSE"
+description = "Ported unwanted-pattern check in scripts/validate_unwanted_patterns.py"
+purl = "pkg:pypi/pyupgrade"
+website = "https://github.com/asottile/pyupgrade"
+
+[[component]]
+name = "ultrajson"
+# Per LICENSES/ULTRAJSON_LICENSE: BSD-3-Clause for ultrajson itself,
+# plus TCL-licensed portions derived from the double-to-ascii routine
+# (see header in pandas/_libs/src/vendored/ujson/lib/ultrajsonenc.c).
+license = "BSD-3-Clause AND TCL"
+license_file = "ULTRAJSON_LICENSE"
+description = "Derived JSON parsing code"
+purl = "pkg:pypi/ujson"
+website = "https://github.com/ultrajson/ultrajson"
+
+[[component]]
+name = "haven"
+license = "MIT"
+license_file = "HAVEN_LICENSE"
+description = "Derived SPSS/Stata reader code"
+purl = "pkg:cran/haven"
+website = "https://github.com/tidyverse/haven"
+
+[[component]]
+name = "packaging"
+# Dual-licensed: user can choose either license
+license = "Apache-2.0 OR BSD-2-Clause"
+license_file = "PACKAGING_LICENSE"
+description = "Derived version parsing code"
+purl = "pkg:pypi/packaging"
+website = "https://github.com/pypa/packaging"
+
+[[component]]
+name = "cpython"
+license = "PSF-2.0"
+license_file = "PSF_LICENSE"
+description = "Derived Python standard library code"
+purl = "pkg:generic/cpython"
+website = "https://github.com/python/cpython"

MANIFEST.in

@@ -62,3 +62,6 @@ prune pandas/tests/io/parser/data
 # Selectively re-add *.cxx files that were excluded above
 graft pandas/_libs/src
 graft pandas/_libs/include
+
+# Include the SBOM generator in sdist; meson.build invokes it via custom_target.
+include scripts/generate_sbom.py

doc/source/whatsnew/v3.1.0.rst

@@ -37,6 +37,7 @@ Other enhancements
 - Improved the precision of float parsing in :func:`read_csv` (:issue:`64395`)
 - Improved the string ``repr`` of :class:`pd.core.arrays.SparseArray` (:issue:`64547`)
 - MSVC is no longer required to build on Windows, and build errors when using the MinGW compiler have been fixed (:issue:`63160`)
+- Wheels now include a `PEP 770 <https://peps.python.org/pep-0770/>`_ CycloneDX Software Bill of Materials (SBOM) at ``.dist-info/sboms/pandas.cdx.json`` describing vendored components (:issue:`63479`)
 
 .. ---------------------------------------------------------------------------
 .. _whatsnew_310.notable_bug_fixes:

environment.yml

@@ -25,6 +25,9 @@ dependencies:
   - python-dateutil
   - numpy<3
 
+  # SBOM validation
+  - jsonschema
+
   # optional dependencies
   - adbc-driver-postgresql>=1.2.0
   - adbc-driver-sqlite>=1.2.0

meson.build

@@ -95,4 +95,23 @@ endif
 # Needed by pandas.test() when it looks for the pytest ini options
 py.install_sources('pyproject.toml', subdir: 'pandas')
 
+# PEP 770 SBOM for vendored components. Generated at build time from
+# LICENSES/vendored.toml; meson-python (>=0.20.0) recognises the
+# <name>-<version>.dist-info/ prefix under {py_purelib} and routes the
+# output into the wheel's own .dist-info/sboms/ at pack time.
+distinfo = meson.project_name() + '-' + meson.project_version() + '.dist-info'
+custom_target(
+    'pandas-vendored-sbom',
+    output: 'pandas.cdx.json',
+    command: [
+        py,
+        files('scripts/generate_sbom.py'),
+        '@OUTPUT@',
+        '--version',
+        meson.project_version(),
+    ],
+    install: true,
+    install_dir: py.get_install_dir() / distinfo / 'sboms',
+)
+
 subdir('pandas')

pyproject.toml

@@ -2,7 +2,10 @@
 # Minimum requirements for the build system to execute.
 # See https://github.com/scipy/scipy/pull/12940 for the AIX issue.
 requires = [
-    "meson-python>=0.19.0,<1",
+    # TEMPORARY: pin to the meson-python fork branch that implements
+    # PEP 770 SBOM routing (mesonbuild/meson-python#843). Revert to
+    # "meson-python>=0.20.0,<1" once that PR lands in a released version.
+    "meson-python @ git+https://github.com/fangchenli/meson-python.git@feat/distinfo-placeholder",
     "meson>=1.2.3,<2",
     "wheel",
     "Cython>3.1.0,<4.0.0a0",  # Note: sync with environment.yml and asv.conf.json
@@ -81,6 +84,7 @@ matplotlib = "pandas:plotting._matplotlib"
 
 [project.optional-dependencies]
 test = ['hypothesis>=6.116.0', 'pytest>=8.3.4', 'pytest-xdist>=3.6.1']
+sbom = ['check-jsonschema']
 pyarrow = ['pyarrow>=13.0.0']
 performance = ['bottleneck>=1.4.2', 'numba>=0.60.0', 'numexpr>=2.10.2']
 computation = ['scipy>=1.14.1', 'xarray>=2024.10.0']
@@ -190,7 +194,7 @@ environment = {CFLAGS="-g0"}
 
 [[tool.cibuildwheel.overrides]]
 select = "*pyodide*"
-# Pyodide repairs wheels on its own, using auditwheel-emscripten
+# Pyodide repairs wheels on its own, using auditwheel-emscripten.
 repair-wheel-command = ""
 # https://github.com/pyodide/pyodide/issues/5805
 build-verbosity = 1

requirements-dev.txt

@@ -15,6 +15,7 @@ PyQt5>=5.15.9
 coverage
 python-dateutil
 numpy<3
+jsonschema
 adbc-driver-postgresql>=1.2.0
 adbc-driver-sqlite>=1.2.0
 beautifulsoup4>=4.12.3