Software Bill of Materials in vcpkg
vcpkg generates a Software Bill of Materials (SBOM) based on the Software Package Data Exchange (SPDX) specification. It tracks important information used to build a package, such as source origin, and aims to provide package consumers with software transparency and integrity. See this blog post about SBOM and SPDX for more information.
vcpkg generates a SPDX file containing the SBOM information for each package
that is installed. The files are located in
<installed_dir>/<triplet>/share/<package name>/vcpkg.spdx.json
. The
installation directory depends on whether vcpkg is running on manifest
mode or classic
mode. Since a package can have different
dependencies depending on the target platform, the generated files are separated
by triplet as well.
vcpkg specific fields
The following fields generated by vcpkg may appear in your SBOM depending on how your package is built.
name
Refers to the name of the document. This field contains the package name, triplet, version followed by the ABI hash used to identify the package.
SPDX Reference: Document name field
creationInfo
Refers to the creator of the document, vcpkg. The creators
field contains vcpkg followed by the version.
SPDX Reference: Creator field
relationships
Contains information about the relationship between vcpkg SPDX elements. SPDXRef-port
refers to the port, SPDXRef-file-N
refers to each file in the port including the portfile.cmake
and SPDXRef-binary
refers to the binary package. In vcpkg, the binary package is generated by the port.
SPDX Reference: Relationships field
packages
Refers to each package generated by vcpkg. SPDXRef-port
refers to the port, and SPDXRef-binary
refers to the binary package, and SPDXRef-resource
refers to any sources used in vcpkg's portfile. vcpkg heuristically generates source information from the portfile.cmake
by parsing vcpkg_from_github
, vcpkg_from_git
, vcpkg_download_distfile
and vcpkg_from_sourceforge
calls.
SPDX Reference: Package information
files
Refers to each of the files in the port. It contains a relative path to the file and a checksum.
SPDX Reference: File information
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for