Generate CycloneDX SBOM file from vcpkg

[aganariman]

---

Is your feature request related to a problem? Please describe. As described in the "Enhancing the Security of the Software Supply Chain through Secure Software Development Practices" US Whitehouse memorandum (https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf) a Software Bill of Materials (SBOM) may be required by government agencies and must be created according to guidance of CISA.

It would be great if vcpkg development team published a tool to automatically generate SBOM files at build time.

For example, Conan package manager (alternative to the vcpkg) has tools available to automatically generate SBOM files in CycloneDX format: https://github.com/CycloneDX/cyclonedx-conan. Sonatype OSS Index publishes a database of known vulnerabilities which can be searched based on Conan package URL: https://ossindex.sonatype.org/ecosystem/conan.

Proposed solution

• [ ] Implement a tool for CycloneDX SBOM file generation from vcpkg and make it available in the CycloneDX tool center: https://cyclonedx.org/tool-center/.

• [ ] Contribute to the PackageURL specification project to ensure that vcpkg is supported: https://github.com/package-url/purl-spec/issues/217

• [ ] Bonus: Communicate with the Sonatype OSS to support vcpkg in their vulnerability ecosystem.

[autoantwort]

Fyi currently spdx sboms are generated for every package (share/<port>/vcpkg.spdx.json)

[aganariman]

It seems like SPDX is great for license/IP specific requirements in organizations, but it does not support the majority of security use cases like identifying existing vulnerabilities based on PackageURL. More on this described here: https://github.com/DependencyTrack/dependency-track/discussions/1222 So it would be great if CycloneDX format is also considered. Most tools in the open source security ecosystem (like https://dependencytrack.org/) work with this format.

[tsteenbe]

@aganariman https://github.com/DependencyTrack/dependency-track/discussions/1222 is out of date - SPDX 2.3 which was released in 2022 does various support security use cases see https://spdx.github.io/spdx-spec/v2.3/how-to-use/.

[aganariman]

Looks like SPDX 2.3 format indeed does have some security support to link to external vulnerability advisories like OSS Index and Github Advisories. But unfortunately the OWASP ecosystem tools rely on CycloneDX SBOM format. For example the OWASP flagship Dependency Track project dropped support for SPDX because it doesn't support PackageURL information for third party packages.

I discussed this topic also in CycloneDX and Dependency Track communities and it looks like this issue limits people to use Conan at the moment which has less available packages compared to VCPKG.

So I believe support for CycloneDX SBOM specification is a relevant request that should be evaluated.

[tsteenbe]

@aganariman Have to correct you again as SPDX does support PackageUrl for a while see https://spdx.github.io/spdx-spec/v2.3/external-repository-identifiers/ section F.3.5 purl.

[ulfllorenz]

Having done this right now: You are aware that the transformation SPDX => CycloneDX for the minimum data elements can be done with < 50 lines of Python code? Having done this myself recently, if this drives the decision between Conan and vcpkg, you should not set your hopes too high for an automated solution.

This might be relevant for the priority. For the PackageURL specification, that is indeed an obstacle. CPEs are so difficult to use that they are basically broken, so PURL would be a way to make vulnerability search doable with reasonable effort.

[github-actions[bot]]

This is an automated message. Per our repo policy, stale issues get closed if there has been no activity in the past 180 days. The issue will be automatically closed in 14 days. If you wish to keep this issue open, please add a new comment.