search

CycloneDX / cdxgen

Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Discord: https://discord.gg/DP657ACYEZ
https://cyclonedx.github.io/cdxgen/
Apache License 2.0
561 stars 157 forks source link

[clang] Support for compilation database #1115

Open prabhu opened 4 months ago

prabhu commented 4 months ago

compile_commands.json has a list of files processed during the compilation. By creating components of type file (and invoking atom with -l h in cdxgen's --deep mode), we can create a decent "build" SBOM for Linux Kernel and other complex C projects.

[
  { "directory": "/home/user/llvm/build",
    "arguments": ["/usr/bin/clang++", "-Irelative", "-DSOMEDEF=With spaces, quotes and \\-es.", "-c", "-o", "file.o", "file.cc"],
    "file": "file.cc" },

  { "directory": "/home/user/llvm/build",
    "command": "/usr/bin/clang++ -Irelative -DSOMEDEF=\"With spaces, quotes and \\-es.\" -c -o file.o file.cc",
    "file": "file2.cc" },

  ...
]

https://clang.llvm.org/docs/JSONCompilationDatabase.html https://github.com/rizsotto/Bear

Working python example that collects all .cmd file to create a single json file https://github.com/amezin/vscode-linux-kernel

prabhu commented 4 months ago

Sample file for Linux Kernel 6.9

compile_commands.json.tar.gz

We can remove the directory prefix from the filename to make it relative.

The command attribute could be captured under formulation.