Open audunmo opened 1 year ago
Hi @audunmo! Thanks for the feature request! I didn't know about vcpkg
, but we're definitely open to supporting it. We'd happily accept a contribution, or we can put this in our backlog and work on it in the future.
Here's what the work would look like:
To add support for vcpk, what we would do is add a vcpkg cataloger to syft. (A cataloger is syft's term for a module that knows how to detect and analyze components from a particular package manager or ecosystem. For example, there's a couple Java catalogers and an RPM cataloger.)
Catalogers generally come in two flavors: those that catalog described/declared packages, which are used by default when scanning directories ("directory catalogers"), and those that catalog installed packages, which are used by default when scanning container images ("image catalogers"). I think what you're looking for is a directory cataloger, but I could be wrong.
Here are the docs on adding a new cataloger: https://github.com/anchore/syft/blob/main/DEVELOPING.md#summary
Here's a pull request of a recently added cataloger: https://github.com/anchore/syft/pull/1790
If you'd like to discuss more, please feel free to come to one of our community meetings: https://github.com/anchore/syft#join-our-community-meetings
I'd love to take a crack at it. Thanks @willmurphyscode
By-the-by, I've begun work on this over here: https://github.com/audunmo/syft/tree/feat/catalog-vcpkg
Awesome! Do you want some early feedback? Also I made a lot of breaking changes that I think will affect your (future) PR, I'm happy to do the rebase if you open up a draft PR and allow maintainer write permissions.
@wagoodman Heya. I actually stopped pursuing this. Turns out, vcpkg generates an SPDX SBOM automatically. It just wasn't super apparent in their docs. Thanks anyway! Closing this issue
For anyone else stumbling upon this issue, here's the vcpkg docs for SBOM https://learn.microsoft.com/en-us/vcpkg/reference/software-bill-of-materials
I'm glad there is baked-in support for generating an SBOM from the build tooling -- that's awesome! I think there is still merit to the original ask even though the build tooling supports it. It might be that you're scanning a repo or asset that has vcpkg material along side other material. I'd be curious to see what would be possible outside of the build tooling here.
What would you like to be added:
syft
should be able to usevcpkg
to generate SBOMs for C++ projectsWhy is this needed: At @reMarkable, we have a giant C++ codebase. We'd love to use
syft
to generate SBOMs for this project, but we're reliant on usingvcpkg
as a package manager, notconan
Additional context: