Generate CycloneDX SBOM file from vcpkg

[aganariman]

---

Is your feature request related to a problem? Please describe.
As described in the "Enhancing the Security of the Software Supply Chain through Secure Software Development Practices" US Whitehouse memorandum (https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf) a Software Bill of Materials (SBOM) may be required by government agencies and must be created according to guidance of CISA.

It would be great if vcpkg development team published a tool to automatically generate SBOM files at build time.

For example, Conan package manager (alternative to the vcpkg) has tools available to automatically generate SBOM files in CycloneDX format: https://github.com/CycloneDX/cyclonedx-conan.
Sonatype OSS Index publishes a database of known vulnerabilities which can be searched based on Conan package URL: https://ossindex.sonatype.org/ecosystem/conan.

Proposed solution

• Implement a tool for CycloneDX SBOM file generation from vcpkg and make it available in the CycloneDX tool center: https://cyclonedx.org/tool-center/.

• Contribute to the PackageURL specification project to ensure that vcpkg is supported: Add support for Microsoft's cross-platform C and C++ package manager, vcpkg package-url/purl-spec#217

• Bonus: Communicate with the Sonatype OSS to support vcpkg in their vulnerability ecosystem.

[autoantwort]

Fyi currently spdx sboms are generated for every package (share/<port>/vcpkg.spdx.json)

[aristotelos]

I've checked the produced vcpkg.spdx.json files and they do not contain:

• External identifiers such as CPE, PackageURL
• The vcpkg dependencies of a port are not listed in any way

So at the moment, there is very limited use for those vcpkg.spdx.json files.

[aganariman]

It seems like SPDX is great for license/IP specific requirements in organizations, but it does not support the majority of security use cases like identifying existing vulnerabilities based on PackageURL. More on this described here: DependencyTrack/dependency-track#1222
So it would be great if CycloneDX format is also considered. Most tools in the open source security ecosystem (like https://dependencytrack.org/) work with this format.

[tsteenbe]

@aganariman DependencyTrack/dependency-track#1222 is out of date - SPDX 2.3 which was released in 2022 does various support security use cases see https://spdx.github.io/spdx-spec/v2.3/how-to-use/.

[aganariman]

Looks like SPDX 2.3 format indeed does have some security support to link to external vulnerability advisories like OSS Index and Github Advisories. But unfortunately the OWASP ecosystem tools rely on CycloneDX SBOM format. For example the OWASP flagship Dependency Track project dropped support for SPDX because it doesn't support PackageURL information for third party packages.

I discussed this topic also in CycloneDX and Dependency Track communities and it looks like this issue limits people to use Conan at the moment which has less available packages compared to VCPKG.

So I believe support for CycloneDX SBOM specification is a relevant request that should be evaluated.

[tsteenbe]

@aganariman Have to correct you again as SPDX does support PackageUrl for a while see https://spdx.github.io/spdx-spec/v2.3/external-repository-identifiers/ section F.3.5 purl.

[aristotelos]

This is a relevant comment. But vcpkg does unfortunately not fill an external repository identifier when producing the vcpkg.spdx.json file, which makes it impossible to analyze vulnerabilities for vcpkg dependencies automatically.

[aristotelos]

See also #39254

[ulfllorenz]

Having done this right now: You are aware that the transformation SPDX => CycloneDX for the minimum data elements can be done with < 50 lines of Python code? Having done this myself recently, if this drives the decision between Conan and vcpkg, you should not set your hopes too high for an automated solution.

This might be relevant for the priority. For the PackageURL specification, that is indeed an obstacle. CPEs are so difficult to use that they are basically broken, so PURL would be a way to make vulnerability search doable with reasonable effort.

[aristotelos]

The spdx files produced by vcpkg unfortunately do not contain any external identifiers, also no CPEs.

[github-actions[bot]]

This is an automated message. Per our repo policy, stale issues get closed if there has been no activity in the past 180 days. The issue will be automatically closed in 14 days. If you wish to keep this issue open, please add a new comment.

[aristotelos]

See related discussions:

• Add support for Microsoft's cross-platform C and C++ package manager, vcpkg package-url/purl-spec#217
• A purl spec for the C/C++ package manager vcpkg package-url/purl-spec#245
• Propose a PURL specification for vcpkg to use in GitHub dependency graph submission API #32732

Created a draft PR to add PURL: microsoft/vcpkg-tool#1482