Idea: Add SBOM Generation (and optional vuln scan) for better supply chain insight #156085
Description
🚀 The feature, motivation and pitch
Greetings 👋
I work in DevRel for Anchore on the open-source team responsible for syft (SBOM generation), and grype (vuln scanner). You can find them in the "Security & Compliance" section of the CNCF Landscape.
Hope your week is starting well!
I'm a fan of pytorch and would love to help contribute by adding a way to automatically generate a Software Bill of Materials (SBOM) for the project. We publish the anchore/sbom-action (and an optional anchore/scan-action) on GitHub Marketplace, and I think it could be a useful addition here.
You can see public data for who else is using these actions here and here.
Why an SBOM?
An SBOM lists all the bits and pieces (libraries, dependencies, etc.) that make up pytorch. This is super helpful for:
- Transparency: Users can easily see what's in the software.
- Security: If a vulnerability pops up in a dependency, an SBOM helps you (and your users) quickly check if pytorch is affected.
- Trust: Shows a commitment to modern security practices.
The Proposal: Quick & Easy Integration
I'd suggest using the anchore/sbom-action to create an SBOM (SPDX/CycloneDX format) with each build or release. It can even attach it right to your GitHub releases.
Optionally, you could also add the anchore/scan-action to check that SBOM for any known vulnerabilities using Grype. These reports can be uploaded to your releases, and integrate with the security reports directly in your GitHub repo.
For example, after a release, you'd automatically get an SBOM file (like pytorch-2.7.1.spdx.json) attached. If using the scan, you'd see a quick vulnerability summary in your workflow logs.
I can help!
I'm happy to put together a PR to set this up. It usually just means adding a simple GitHub Actions workflow. No big overhaul needed.
These are open-source tools, and we're keen to see more projects benefit from easier SBOM generation and vulnerability scanning.
What do you think? Worth exploring for pytorch?
Alternatives
I will leave this up to you, as I work on the above-named tools, so I am somewhat biased. :)
However, for transparency, here are some alternatives I'm aware of:
- Trivy from Aquasec
- Snyk
- OSV Scanner from Google
Additional context
Testing out Syft and Grype
You can also manually test the tools that power the GitHub actions, to see what you'd get. For example I can scan the latest tagged release directly from a checkout of the repo:
$ git clone https://github.com/pytorch/pytorch
$ cd pytorch
$ git checkout 'v2.7.1'
$ syft ./Results of running syft on checked out pytorch release
$ syft ./
✔ Indexed file system .
✔ Cataloged contents cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
├── ✔ Packages [647 packages]
├── ✔ Executables [0 executables]
├── ✔ File metadata [124 locations]
└── ✔ File digests [124 files]
[0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME VERSION TYPE
./.github/actions/chown-workspace UNKNOWN github-action (+4 duplicates)
./.github/actions/diskspace-cleanup UNKNOWN github-action (+2 duplicates)
./.github/actions/download-build-artifacts UNKNOWN github-action (+6 duplicates)
./.github/actions/download-td-artifacts UNKNOWN github-action (+4 duplicates)
./.github/actions/filter-test-configs UNKNOWN github-action (+10 duplicates)
./.github/actions/get-workflow-job-id UNKNOWN github-action (+11 duplicates)
./.github/actions/pytest-cache-download UNKNOWN github-action (+2 duplicates)
./.github/actions/pytest-cache-upload UNKNOWN github-action (+2 duplicates)
./.github/actions/setup-linux UNKNOWN github-action (+11 duplicates)
./.github/actions/setup-rocm UNKNOWN github-action (+2 duplicates)
./.github/actions/setup-win UNKNOWN github-action (+1 duplicate)
./.github/actions/setup-xpu UNKNOWN github-action (+1 duplicate)
./.github/actions/teardown-rocm UNKNOWN github-action (+2 duplicates)
./.github/actions/teardown-win UNKNOWN github-action (+1 duplicate)
./.github/actions/teardown-xpu UNKNOWN github-action (+1 duplicate)
./.github/actions/upload-sccache-stats UNKNOWN github-action (+1 duplicate)
./.github/actions/upload-test-artifacts UNKNOWN github-action (+7 duplicates)
./.github/actions/upload-utilization-stats UNKNOWN github-action
./.github/workflows/_bazel-build-test.yml UNKNOWN github-action-workflow (+1 duplicate)
./.github/workflows/_binary-build-linux.yml UNKNOWN github-action-workflow (+5 duplicates)
./.github/workflows/_binary-test-linux.yml UNKNOWN github-action-workflow (+5 duplicates)
./.github/workflows/_binary-upload.yml UNKNOWN github-action-workflow (+11 duplicates)
./.github/workflows/_docs.yml UNKNOWN github-action-workflow (+1 duplicate)
./.github/workflows/_linux-build.yml UNKNOWN github-action-workflow (+25 duplicates)
./.github/workflows/_linux-test.yml UNKNOWN github-action-workflow (+17 duplicates)
./.github/workflows/_mac-build.yml UNKNOWN github-action-workflow (+2 duplicates)
./.github/workflows/_mac-test-mps.yml UNKNOWN github-action-workflow (+1 duplicate)
./.github/workflows/_mac-test.yml UNKNOWN github-action-workflow (+1 duplicate)
./.github/workflows/_rocm-test.yml UNKNOWN github-action-workflow (+8 duplicates)
./.github/workflows/_win-build.yml UNKNOWN github-action-workflow (+2 duplicates)
./.github/workflows/_win-test.yml UNKNOWN github-action-workflow
./.github/workflows/_xpu-test.yml UNKNOWN github-action-workflow
./.github/workflows/inductor-unittest.yml UNKNOWN github-action-workflow
./.github/workflows/llm_td_retrieval.yml UNKNOWN github-action-workflow (+4 duplicates)
./.github/workflows/target_determination.yml UNKNOWN github-action-workflow (+8 duplicates)
./pytorch/.github/actions/chown-workspace UNKNOWN github-action (+1 duplicate)
./pytorch/.github/actions/filter-test-configs UNKNOWN github-action (+1 duplicate)
./pytorch/.github/actions/setup-linux UNKNOWN github-action (+1 duplicate)
./pytorch/.github/actions/test-pytorch-binary UNKNOWN github-action (+2 duplicates)
actions/checkout v2 github-action (+3 duplicates)
actions/checkout v3 github-action (+9 duplicates)
actions/checkout v4 github-action (+21 duplicates)
actions/download-artifact v4 github-action (+2 duplicates)
actions/download-artifact v4.1.7 github-action (+13 duplicates)
actions/github-script v6 github-action (+1 duplicate)
actions/setup-python v2 github-action (+1 duplicate)
actions/setup-python v4 github-action (+11 duplicates)
actions/upload-artifact v4 github-action (+8 duplicates)
actions/upload-artifact v4.4.0 github-action (+12 duplicates)
aws-actions/amazon-ecr-login v2 github-action (+2 duplicates)
aws-actions/configure-aws-credentials v1.7.0 github-action (+1 duplicate)
aws-actions/configure-aws-credentials v3 github-action (+12 duplicates)
aws-actions/configure-aws-credentials v4 github-action (+4 duplicates)
boto3 1.35.42 python (+2 duplicates)
breathe 4.34.0 python
bs4 0.0.1 python
certifi 2024.7.4 python
charset-normalizer 3.3.2 python
coremltools 5.0b5 python (+1 duplicate)
dataclasses-json 0.6.7 python
dill 0.3.7 python
docker/login-action v2 github-action
docker/setup-buildx-action v3 github-action
docker/setup-qemu-action v3 github-action
docutils 0.16 python
ethanis/nitpicker v1 github-action
exhale 0.2.3 python
expecttest 0.3.0 python (+1 duplicate)
fbscribelogger 0.1.7 python (+1 duplicate)
filelock 3.6.0 python
flatbuffers 2.0 python
ghstack 0.8.0 python
github/codeql-action/upload-sarif v1.0.26 github-action
gradle-wrapper 4.10.3 java-archive
hypothesis 5.35.1 python
hypothesis 6.56.4 python
idna 3.7 python
ilammy/msvc-dev-cmd dd5e2fa0a7de1e7929605d9ecc020e749d9856a3 github-action
ipython 8.12.0 python
jinja2 3.1.6 python (+1 duplicate)
junitparser 2.1.1 python
lark 0.12.0 python
lintrunner 0.10.7 python
lintrunner 0.12.7 python
lxml 5.3.0 python
matplotlib 3.5.3 python
matplotlib 3.6.0 python
mpmath 1.3.0 python (+1 duplicate)
mypy 1.14.0 python
myst-nb 0.17.2 python
myst-parser 0.18.1 python (+1 duplicate)
necojackarc/auto-request-review e08cdffa277d50854744de3f76230260e61c67f4 github-action
networkx 2.8.7 python
networkx 2.8.8 python (+1 duplicate)
nick-fields/retry v3.0.0 github-action (+13 duplicates)
ninja 1.10.0.post1 python
ninja 1.11.1 python
numba 0.49.0 python
numba 0.55.2 python (+1 duplicate)
numba 0.56.0 python
numpy 1.22.4 python
numpy 1.26.2 python
numpy 1.26.4 python
numpy 2.1.2 python
nvidia-ml-py 11.525.84 python (+1 duplicate)
octokit/request-action release/2.7 github-action (+1 duplicate)
onnx 1.17.0 python
onnxscript 0.2.2 python
opt-einsum 3.3 python
optree 0.13.0 python (+2 duplicates)
ossf/scorecard-action v2.0.3 github-action
packaging 23.1 python
pandas 2.0.3 python
pandas 2.2.3 python
parameterized 0.8.1 python (+1 duplicate)
parkerbxyz/suggest-changes v1 github-action
pillow 11.0.0 python
protobuf 3.20.2 python (+2 duplicates)
psutil 5.9.1 python
pulp 2.9.0 python
pwlf 2.2.1 python
pygithub 2.3.0 python
pygments 2.15.0 python (+1 duplicate)
pytest 7.3.2 python (+1 duplicate)
pytest-cpp 2.3.0 python (+1 duplicate)
pytest-flakefinder 1.1.0 python (+1 duplicate)
pytest-rerunfailures 10.3 python
pytest-subtests 0.13.1 python (+1 duplicate)
pytest-xdist 3.3.1 python (+1 duplicate)
python-etcd 0.4.5 python (+1 duplicate)
pytorch/pytorch/.github/actions/checkout-pytorch release/2.7 github-action (+32 duplicates)
pytorch/pytorch/.github/actions/diskspace-cleanup main github-action
pytorch/pytorch/.github/workflows/_runner-determinator.yml release/2.7 github-action-workflow (+46 duplicates)
pytorch/test-infra/.github/actions/bc-lint release/2.7 github-action
pytorch/test-infra/.github/actions/calculate-docker-image main github-action
pytorch/test-infra/.github/actions/calculate-docker-image release/2.7 github-action (+10 duplicates)
pytorch/test-infra/.github/actions/check-disk-space release/2.7 github-action (+2 duplicates)
pytorch/test-infra/.github/actions/cleanup-runner main github-action
pytorch/test-infra/.github/actions/cleanup-runner release/2.7 github-action (+1 duplicate)
pytorch/test-infra/.github/actions/pull-docker-image main github-action
pytorch/test-infra/.github/actions/pull-docker-image release/2.7 github-action (+12 duplicates)
pytorch/test-infra/.github/actions/setup-miniconda release/2.7 github-action (+5 duplicates)
pytorch/test-infra/.github/actions/setup-nvidia main github-action
pytorch/test-infra/.github/actions/setup-nvidia release/2.7 github-action (+3 duplicates)
pytorch/test-infra/.github/actions/setup-ssh release/2.7 github-action (+14 duplicates)
pytorch/test-infra/.github/actions/teardown-linux main github-action
pytorch/test-infra/.github/actions/teardown-linux release/2.7 github-action (+10 duplicates)
pytorch/test-infra/.github/actions/update-commit-hash release/2.7 github-action (+1 duplicate)
pytorch/test-infra/.github/actions/update-viablestrict release/2.7 github-action
pytorch/test-infra/.github/actions/upload-benchmark-results main github-action
pytorch/test-infra/.github/actions/upload-benchmark-results release/2.7 github-action (+2 duplicates)
pytorch/test-infra/.github/workflows/linux_job.yml release/2.7 github-action-workflow (+1 duplicate)
pytorch/test-infra/.github/workflows/validate-docker-images.yml release/2.7 github-action-workflow
pywavelets 1.4.1 python
pywavelets 1.7.0 python
pyyaml 6.0 python
pyyaml 6.0.1 python
requests 2.32.2 python (+1 duplicate)
rich 10.9.0 python
scikit-image 0.19.3 python
scikit-image 0.22.0 python
scipy 1.10.1 python (+1 duplicate)
scipy 1.14.1 python
scons 4.5.2 python
seemethere/download-artifact-s3 v4 github-action (+3 duplicates)
seemethere/upload-artifact-s3 v5 github-action (+10 duplicates)
setuptools 70.0.0 python
softprops/action-gh-release v1 github-action
sphinx 5.0.0 python
sphinx 5.3.0 python
sphinx-copybutton 0.5.0 python (+1 duplicate)
sphinx-panels 0.4.1 python (+1 duplicate)
sphinxcontrib-katex 0.8.6 python (+1 duplicate)
sympy 1.12 python
sympy 1.13.3 python (+1 duplicate)
tb-nightly 2.13.0a20230426 python
tensorboard 2.10.0 python
tensorboard 2.13.0 python (+2 duplicates)
tensorboard 2.18.0 python (+1 duplicate)
typing-extensions 4.11.0 python
urllib3 2.2.2 python
xdoctest 1.1.0 python (+1 duplicate)
z3-solver 4.12.2.0 python
z3-solver 4.12.6.0 python
We can also pick a recent container build on DockerHub and generate a human-readable table-view SBOM, and a machine-readable SPDX-formatted SBOM:
$ syft pytorch/pytorch:2.7.1-cuda11.8-cudnn9-runtime -o table -o spdx-json=./pytorch-2.7.1-cuda11.8-cudnn9-runtime.json --platform linux/amd64
Result of syft on pytorch container
✔ Pulled image
✔ Loaded image pytorch/pytorch:2.7.1-cuda11.8-cudnn9-runtime
✔ Parsed image sha256:cc0fe24aee5ea4f5a5b9bfe94b22dadfde31855888b6f5699db9c2f7c09938e4
✔ Cataloged contents 9396c3af86db3ba12d7339f3d517faf2603330d68e4c73052a402c26868d8aa1
├── ✔ Packages [273 packages]
├── ✔ Executables [1,192 executables]
├── ✔ File metadata [4,501 locations]
└── ✔ File digests [4,501 files]
NAME VERSION TYPE
Simple Launcher 1.1.0.14 binary (+5 duplicates)
adduser 3.118ubuntu5 deb
apt 2.4.14 deb
archspec 0.2.5 python
asttokens 3.0.0 python
astunparse 1.6.3 python
attrs 25.3.0 python
autocommand 2.2.2 python
backports-tarfile 1.2.0 python
base-files 12ubuntu4.7 deb
base-passwd 3.5.52build1 deb
bash 5.1-6ubuntu1.1 deb
beautifulsoup4 4.13.4 python
boltons 24.0.0 python
brotli 1.1.0 python
bsdutils 1:2.37.2-4ubuntu3.4 deb
ca-certificates 20240203~22.04.1 deb
certifi 2025.4.26 python
cffi 1.17.1 python
chardet 5.2.0 python
charset-normalizer 3.4.2 python
cli UNKNOWN binary
cli-32 UNKNOWN binary (+2 duplicates)
cli-64 UNKNOWN binary (+2 duplicates)
cli-arm64 UNKNOWN binary
click 8.2.1 python
cmake 4.0.2 python
colorama 0.4.6 python
conda 25.5.0 python
conda-build 25.5.0 python
conda-index 0.6.1 python
conda-libmamba-solver 25.3.0 python
conda-package-handling 2.4.0 python
conda-package-streaming 0.11.0 python
coreutils 8.32-4.1ubuntu1.2 deb
dash 0.5.11+git20210903+057cd650a4ed-3build1 deb
debconf 1.5.79ubuntu1 deb
debianutils 5.5-1ubuntu2 deb
decorator 5.2.1 python
diffutils 1:3.8-0ubuntu2 deb
distro 1.9.0 python
dnspython 2.7.0 python
dpkg 1.21.1ubuntu2.3 deb
e2fsprogs 1.46.5-2ubuntu1.2 deb
evalidate 2.0.5 python
exceptiongroup 1.3.0 python
executing 2.2.0 python
expecttest 0.3.0 python
filelock 3.18.0 python
findutils 4.8.0-1ubuntu3 deb
frozendict 2.4.6 python
fsspec 2025.5.1 python
gcc-12-base 12.3.0-1ubuntu1~22.04 deb
gpgv 2.2.27-3ubuntu2.3 deb
grep 3.7-1build1 deb
gui UNKNOWN binary
gui-32 UNKNOWN binary (+1 duplicate)
gui-64 UNKNOWN binary (+1 duplicate)
gui-arm64 UNKNOWN binary
gzip 1.10-4ubuntu4.1 deb
h2 4.2.0 python
hostname 3.23ubuntu2 deb
hpack 4.1.0 python
hyperframe 6.1.0 python
hypothesis 6.135.0 python
idna 3.10 python
importlib-metadata 8.0.0 python
importlib-resources 6.5.2 python
inflect 7.3.1 python
init-system-helpers 1.62 deb
ipython 9.3.0 python
ipython-pygments-lexers 1.1.1 python
jaraco-collections 5.1.0 python
jaraco-context 5.3.0 python
jaraco-functools 4.0.1 python
jaraco-text 3.12.1 python
jedi 0.19.2 python
jinja2 3.1.6 python
jsonpatch 1.33 python
jsonpointer 3.0.0 python
jsonschema 4.24.0 python
jsonschema-specifications 2025.4.1 python
libacl1 2.3.1-1 deb
libapt-pkg6.0 2.4.14 deb
libarchive-c 5.3 python
libattr1 1:2.5.1-1build1 deb
libaudit-common 1:3.0.7-1build1 deb
libaudit1 1:3.0.7-1build1 deb
libblkid1 2.37.2-4ubuntu3.4 deb
libbz2-1.0 1.0.8-5build1 deb
libc-bin 2.35-0ubuntu3.10 deb
libc-dev-bin 2.35-0ubuntu3.10 deb
libc6 2.35-0ubuntu3.10 deb
libc6-dev 2.35-0ubuntu3.10 deb
libcap-ng0 0.7.9-2.2build3 deb
libcap2 1:2.44-1ubuntu0.22.04.2 deb
libcom-err2 1.46.5-2ubuntu1.2 deb
libcrypt-dev 1:4.4.27-1 deb
libcrypt1 1:4.4.27-1 deb
libdb5.3 5.3.28+dfsg1-0.8ubuntu3 deb
libdebconfclient0 0.261ubuntu1 deb
libext2fs2 1.46.5-2ubuntu1.2 deb
libffi8 3.4.2-4 deb
libgcc-s1 12.3.0-1ubuntu1~22.04 deb
libgcrypt20 1.9.4-3ubuntu3 deb
libgmp10 2:6.2.1+dfsg-3ubuntu1 deb
libgnutls30 3.7.3-4ubuntu1.6 deb
libgpg-error0 1.43-3 deb
libgssapi-krb5-2 1.19.2-2ubuntu0.7 deb
libhogweed6 3.7.3-1build2 deb
libidn2-0 2.3.2-2build1 deb
libjpeg-dev 8c-2ubuntu10 deb
libjpeg-turbo8 2.1.2-0ubuntu1 deb
libjpeg-turbo8-dev 2.1.2-0ubuntu1 deb
libjpeg8 8c-2ubuntu10 deb
libjpeg8-dev 8c-2ubuntu10 deb
libk5crypto3 1.19.2-2ubuntu0.7 deb
libkeyutils1 1.6.1-2ubuntu3 deb
libkrb5-3 1.19.2-2ubuntu0.7 deb
libkrb5support0 1.19.2-2ubuntu0.7 deb
liblz4-1 1.9.3-2build2 deb
liblzma5 5.2.5-2ubuntu1 deb
libmambapy 2.1.1 python
libmount1 2.37.2-4ubuntu3.4 deb
libncurses6 6.3-2ubuntu0.1 deb
libncursesw6 6.3-2ubuntu0.1 deb
libnettle8 3.7.3-1build2 deb
libnsl-dev 1.3.0-2build2 deb
libnsl2 1.3.0-2build2 deb
libp11-kit0 0.24.0-6build1 deb
libpam-modules 1.4.0-11ubuntu2.5 deb
libpam-modules-bin 1.4.0-11ubuntu2.5 deb
libpam-runtime 1.4.0-11ubuntu2.5 deb
libpam0g 1.4.0-11ubuntu2.5 deb
libpcre2-8-0 10.39-3ubuntu0.1 deb
libpcre3 2:8.39-13ubuntu0.22.04.1 deb
libpng-dev 1.6.37-3build5 deb
libpng16-16 1.6.37-3build5 deb
libprocps8 2:3.3.17-6ubuntu2.1 deb
libseccomp2 2.5.3-2ubuntu3~22.04.1 deb
libselinux1 3.3-1build2 deb
libsemanage-common 3.3-1build2 deb
libsemanage2 3.3-1build2 deb
libsepol2 3.3-1build1 deb
libsmartcols1 2.37.2-4ubuntu3.4 deb
libss2 1.46.5-2ubuntu1.2 deb
libssl3 3.0.2-0ubuntu1.19 deb
libstdc++6 12.3.0-1ubuntu1~22.04 deb
libsystemd0 249.11-0ubuntu3.15 deb
libtasn1-6 4.18.0-4ubuntu0.1 deb
libtinfo6 6.3-2ubuntu0.1 deb
libtirpc-common 1.3.2-2ubuntu0.1 deb
libtirpc-dev 1.3.2-2ubuntu0.1 deb
libtirpc3 1.3.2-2ubuntu0.1 deb
libudev1 249.11-0ubuntu3.15 deb
libunistring2 1.0-1 deb
libuuid1 2.37.2-4ubuntu3.4 deb
libxxhash0 0.8.1-1 deb
libzstd1 1.4.8+dfsg-3build1 deb
lief 0.16.4 python
lintrunner 0.12.7 python
linux-libc-dev 5.15.0-141.151 deb
login 1:4.8.1-2ubuntu2.2 deb
logsave 1.46.5-2ubuntu1.2 deb
lsb-base 11.1.0ubuntu4 deb
markupsafe 3.0.2 python
matplotlib-inline 0.1.7 python
mawk 1.3.4.20200120-3 deb
menuinst 2.2.0 python
more-itertools 10.3.0 python
mount 2.37.2-4ubuntu3.4 deb
mpmath 1.3.0 python
msgpack 1.1.0 python
my-test-package 1.0 python
ncurses-base 6.3-2ubuntu0.1 deb
ncurses-bin 6.3-2ubuntu0.1 deb
networkx 3.5 python
ninja 1.11.1.4 python
numpy 2.2.6 python
nvidia-cublas-cu11 11.11.3.6 python
nvidia-cuda-cupti-cu11 11.8.87 python
nvidia-cuda-nvrtc-cu11 11.8.89 python
nvidia-cuda-runtime-cu11 11.8.89 python
nvidia-cudnn-cu11 9.1.0.70 python
nvidia-cufft-cu11 10.9.0.58 python
nvidia-curand-cu11 10.3.0.86 python
nvidia-cusolver-cu11 11.4.1.48 python
nvidia-cusparse-cu11 11.7.5.86 python
nvidia-nccl-cu11 2.21.5 python
nvidia-nvtx-cu11 11.8.86 python
openssl 3.0.2-0ubuntu1.19 deb
openssl 3.5.0 binary
optree 0.16.0 python
packaging 24.2 python
packaging 25.0 python
parso 0.8.4 python
passwd 1:4.8.1-2ubuntu2.2 deb
perl-base 5.34.0-3ubuntu1.4 deb
pexpect 4.9.0 python
pickleshare 0.7.5 python
pillow 11.0.0 python
pip 25.1.1 python
pkginfo 1.12.1.2 python
pkgutil-resolve-name 1.3.10 python
platformdirs 4.2.2 python
platformdirs 4.3.8 python
pluggy 1.5.0 python
procps 2:3.3.17-6ubuntu2.1 deb
prompt-toolkit 3.0.51 python
psutil 7.0.0 python
ptyprocess 0.7.0 python
pure-eval 0.2.3 python
pycosat 0.6.6 python
pycparser 2.22 python
pygments 2.19.1 python
pysocks 1.7.1 python
python 3.11.13 binary
python-etcd 0.4.5 python
pytz 2025.2 python
pyyaml 6.0.2 python
referencing 0.36.2 python
requests 2.32.3 python
rpcsvc-proto 1.4.2-0ubuntu6 deb
rpds-py 0.25.1 python
ruamel-yaml 0.18.12 python
ruamel-yaml-clib 0.2.8 python
sed 4.8-1ubuntu2 deb
sensible-utils 0.0.17 deb
setuptools 75.8.2 python
six 1.17.0 python
sortedcontainers 2.4.0 python
soupsieve 2.7 python
stack-data 0.6.3 python
sympy 1.14.0 python
sysvinit-utils 3.01-1ubuntu1 deb
tar 1.34+dfsg-1ubuntu0.1.22.04.2 deb
tomli 2.0.1 python
torch 2.7.1+cu118 python
torchaudio 2.7.1+cu118 python
torchelastic 0.2.2 python
torchvision 0.22.1+cu118 python
tqdm 4.67.1 python
traitlets 5.14.3 python
triton 3.3.1 python
truststore 0.10.1 python
typeguard 4.3.0 python
types-dataclasses 0.6.6 python
typing-extensions 4.12.2 python
typing-extensions 4.14.0 python
ubuntu-keyring 2021.03.26 deb
urllib3 2.4.0 python
usrmerge 25ubuntu2 deb
util-linux 2.37.2-4ubuntu3.4 deb
wcwidth 0.2.13 python
wheel 0.43.0 python
wheel 0.45.1 python
zipp 3.19.2 python
zipp 3.22.0 python
zlib1g 1:1.2.11.dfsg-2ubuntu9.2 deb
zlib1g-dev 1:1.2.11.dfsg-2ubuntu9.2 deb
zstandard 0.23.0 python
zstd 1.5.7 binary
Then use grype to scan the generated SBOM.
$ grype ./pytorch-2.7.1-cuda11.8-cudnn9-runtime.json
Results of vulnerability scan
✔ Vulnerability DB [updated]
✔ Scanned for vulnerabilities [52 vulnerability matches]
├── by severity: 0 critical, 2 high, 1150 medium, 68 low, 18 negligible
└── by status: 7 fixed, 1231 not-fixed, 1186 ignored
[0000] WARN current database is invalid error=the vulnerability database was built 2 weeks ago (max allowed age is 5 days)
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY EPSS% RISK
login 1:4.8.1-2ubuntu2.2 deb CVE-2024-56433 Low 85.62 0.9
passwd 1:4.8.1-2ubuntu2.2 deb CVE-2024-56433 Low 85.62 0.9
libjpeg-turbo8 2.1.2-0ubuntu1 deb CVE-2018-10126 Low 62.93 0.1
libjpeg-turbo8-dev 2.1.2-0ubuntu1 deb CVE-2018-10126 Low 62.93 0.1
libtasn1-6 4.18.0-4ubuntu0.1 deb CVE-2021-46848 Low 50.88 < 0.1
setuptools 75.8.2 78.1.1 python GHSA-5rjg-fvgr-3xxf High 29.48 < 0.1
libsystemd0 249.11-0ubuntu3.15 deb CVE-2023-7008 Low 46.27 < 0.1
libudev1 249.11-0ubuntu3.15 deb CVE-2023-7008 Low 46.27 < 0.1
libgcrypt20 1.9.4-3ubuntu3 deb CVE-2024-2236 Low 45.70 < 0.1
libzstd1 1.4.8+dfsg-3build1 deb CVE-2022-4899 Low 43.17 < 0.1
libssl3 3.0.2-0ubuntu1.19 deb CVE-2024-41996 Low 37.55 < 0.1
openssl 3.0.2-0ubuntu1.19 deb CVE-2024-41996 Low 37.55 < 0.1
gcc-12-base 12.3.0-1ubuntu1~22.04 deb CVE-2023-4039 Low 36.59 < 0.1
libgcc-s1 12.3.0-1ubuntu1~22.04 deb CVE-2023-4039 Low 36.59 < 0.1
libstdc++6 12.3.0-1ubuntu1~22.04 deb CVE-2023-4039 Low 36.59 < 0.1
requests 2.32.3 2.32.4 python GHSA-9hjg-9r4m-mvj7 Medium 19.67 < 0.1
coreutils 8.32-4.1ubuntu1.2 deb CVE-2016-2781 Low 26.05 < 0.1
python 3.11.13 3.14.0 UnknownPackage CVE-2024-3220 Low 26.46 < 0.1
libpcre3 2:8.39-13ubuntu0.22.04.1 deb CVE-2017-11164 Negligible 57.70 < 0.1
openssl 3.5.0 3.5.1 UnknownPackage CVE-2025-4575 Medium 5.68 < 0.1
libncurses6 6.3-2ubuntu0.1 deb CVE-2023-50495 Low 15.43 < 0.1
libncursesw6 6.3-2ubuntu0.1 deb CVE-2023-50495 Low 15.43 < 0.1
libtinfo6 6.3-2ubuntu0.1 deb CVE-2023-50495 Low 15.43 < 0.1
ncurses-base 6.3-2ubuntu0.1 deb CVE-2023-50495 Low 15.43 < 0.1
ncurses-bin 6.3-2ubuntu0.1 deb CVE-2023-50495 Low 15.43 < 0.1
libc-bin 2.35-0ubuntu3.10 deb CVE-2016-20013 Negligible 52.17 < 0.1
libc-dev-bin 2.35-0ubuntu3.10 deb CVE-2016-20013 Negligible 52.17 < 0.1
libc6 2.35-0ubuntu3.10 deb CVE-2016-20013 Negligible 52.17 < 0.1
libc6-dev 2.35-0ubuntu3.10 deb CVE-2016-20013 Negligible 52.17 < 0.1
libpcre2-8-0 10.39-3ubuntu0.1 deb CVE-2022-41409 Low 13.92 < 0.1
gcc-12-base 12.3.0-1ubuntu1~22.04 deb CVE-2022-27943 Low 12.96 < 0.1
libgcc-s1 12.3.0-1ubuntu1~22.04 deb CVE-2022-27943 Low 12.96 < 0.1
libstdc++6 12.3.0-1ubuntu1~22.04 deb CVE-2022-27943 Low 12.96 < 0.1
libpam-modules 1.4.0-11ubuntu2.5 deb CVE-2024-10041 Medium 5.39 < 0.1
libpam-modules-bin 1.4.0-11ubuntu2.5 deb CVE-2024-10041 Medium 5.39 < 0.1
libpam-runtime 1.4.0-11ubuntu2.5 deb CVE-2024-10041 Medium 5.39 < 0.1
libpam0g 1.4.0-11ubuntu2.5 deb CVE-2024-10041 Medium 5.39 < 0.1
python 3.11.13 3.14.0b1 UnknownPackage CVE-2025-4516 Medium 3.14 < 0.1
login 1:4.8.1-2ubuntu2.2 deb CVE-2023-29383 Low 5.41 < 0.1
passwd 1:4.8.1-2ubuntu2.2 deb CVE-2023-29383 Low 5.41 < 0.1
perl-base 5.34.0-3ubuntu1.4 deb CVE-2025-40909 Medium 1.98 < 0.1
libsystemd0 249.11-0ubuntu3.15 249.11-0ubuntu3.16 deb CVE-2025-4598 Medium 0.99 < 0.1
libudev1 249.11-0ubuntu3.15 249.11-0ubuntu3.16 deb CVE-2025-4598 Medium 0.99 < 0.1
coreutils 8.32-4.1ubuntu1.2 deb CVE-2025-5278 Low 1.61 < 0.1
gpgv 2.2.27-3ubuntu2.3 deb CVE-2022-3219 Low 1.24 < 0.1
libncurses6 6.3-2ubuntu0.1 deb CVE-2023-45918 Low N/A N/A
libncursesw6 6.3-2ubuntu0.1 deb CVE-2023-45918 Low N/A N/A
libpng-dev 1.6.37-3build5 deb CVE-2022-3857 Low N/A N/A
libpng16-16 1.6.37-3build5 deb CVE-2022-3857 Low N/A N/A
libtinfo6 6.3-2ubuntu0.1 deb CVE-2023-45918 Low N/A N/A
ncurses-base 6.3-2ubuntu0.1 deb CVE-2023-45918 Low N/A N/A
ncurses-bin 6.3-2ubuntu0.1 deb CVE-2023-45918 Low N/A N/A
One can also just point grype at the container directly, or at a folder of code, as grype contains syft as a library to do the SBOM generation and vuln scan in one command:
$ grype ~/source/pytorch/pytorch-2.7.1/
and
$ grype pytorch/pytorch:2.7.1-cuda11.8-cudnn9-runtime