Dibaca dalam bahasa Inggeris Edit

Kongsi melalui

Software Bill of Materials in vcpkg

  • Artikel

vcpkg generates a Software Bill of Materials (SBOM) based on the Software Package Data Exchange (SPDX) specification. It tracks important information used to build a package, such as source origin, and aims to provide package consumers with software transparency and integrity. See this blog post about SBOM and SPDX for more information.

vcpkg generates a SPDX file containing the SBOM information for each package that is installed. The files are located in <installed_dir>/<triplet>/share/<package name>/vcpkg.spdx.json. The installation directory depends on whether vcpkg is running on manifest mode or classic mode. Since a package can have different dependencies depending on the target platform, the generated files are separated by triplet as well.

vcpkg specific fields

The following fields generated by vcpkg may appear in your SBOM depending on how your package is built.

name

Refers to the name of the document. This field contains the package name, triplet, version followed by the ABI hash used to identify the package.

SPDX Reference: Document name field

creationInfo

Refers to the creator of the document, vcpkg. The creators field contains vcpkg followed by the version.

SPDX Reference: Creator field

relationships

Contains information about the relationship between vcpkg SPDX elements. SPDXRef-port refers to the port, SPDXRef-file-N refers to each file in the port including the portfile.cmake and SPDXRef-binary refers to the binary package. In vcpkg, the binary package is generated by the port.

SPDX Reference: Relationships field

packages

Refers to each package generated by vcpkg. SPDXRef-port refers to the port, and SPDXRef-binary refers to the binary package, and SPDXRef-resource refers to any sources used in vcpkg's portfile. vcpkg heuristically generates source information from the portfile.cmake by parsing vcpkg_from_github, vcpkg_from_git, vcpkg_download_distfile and vcpkg_from_sourceforge calls.

SPDX Reference: Package information

files

Refers to each of the files in the port. It contains a relative path to the file and a checksum.

SPDX Reference: File information

CycloneDX support

vcpkg does not support the CycloneDX SBOM format out of the box. We recommend using the CycloneDX CLI tool to convert the SPDX JSON files generated by vcpkg to the CycloneDX format.

For example:

cyclonedx convert --input-file vcpkg.spdx.json --input-format spdxjson --output-format json --output-file <file>

Some vcpkg dependency information may be lost during conversion. Refer to the [CycloneDX documentation]((https://github.com/CycloneDX/cyclonedx-cli?tab=readme-ov-file#spdx-format) for more details.