SBOMs for Scientific Software: C++

This is the second of a series of posts exploring the feasibility of generating Software Bills of Materials (SBOMs) for complex scientific software.

SBOMs provide a list of the components, libraries, and modules that are required to build a piece of software. The United States 2021 Executive Order on Cybersecurity highlights the role of SBOMs to support risk assessments for newly discovered vulnerabilities.  Further, the U.S. National Institute of Standards and Technology (NIST) released its Secure Software Development Framework, which requires SBOM information to be available for software.

My previous post explored the generation of SBOMs for both simple and complex python software packages.  A variety of tools have recently been developed that can create SBOMs for python software, which are relatively easy to install and apply. Standard python installation tools like pip and poetry capture much of the information needed to formulate SBOMs, so developers may not need to spend much effort to support SBOM generation for their python packages.

Unfortunately, it is currently much more challenging to automatically generate SBOMs for C++ and other compiled languages used in scientific computing. The key difference is that package managers are not widely used to build and install C++ software. Further, current package managers do not uniformly support the generation of SBOMs. Consequently, developers cannot generally assume that tools exist to automate the generation of an SBOM for their C++ library.

So, what can a C++ developer do to support the generation of SBOMs?

First, you can explore the use of a package manager, which naturally provides a context for automating the generation of SBOMs.  Alternatively, you can explore whether your current build system can be extended to generate SBOMs, though probably in a custom manner for each library. I review these options in the following two sections.

C++ Package Managers and SBOM Generation

C++ package managers have been around for decades, and there have been significant improvements in their ability to streamline workflows and reduce the burden of developers for complex software applications. The following package managers are highlighted in a recent review
  • vcpkg
    • This cross-platform C/C++ package manager is integrated into CMake and MSBuild (more here).
    • vcpkg generates a Software Bill of Materials (SBOM) based on the Software Package Data Exchange (SPDX) specification. It tracks information used to build a package, and aims to provide package consumers with software transparency and integrity.
    • See the vcpkg documentation and this microsoft blog post

  • conan
    • This cross-platform C/C++ package manager integrates with build systems like CMake, MSBuild, Makefiles, Meson and SCons.
    • Conan includes a new extension that creates an SBOM in CycloneDX format.

  • Spack
    • Spack supports package management for a variety of languages, including C, C++, Fortran, Python and R.
    • Spack was motivated by challenges associated with software development for parallel scientific computing applications, and it has strong support for configuration of compilers and target architectures.
    • The spack-sbom package provides a draft capability for generating SBOMs. However, this does not appear to be under active development.
A variety of other C++ package managers were included in the review that have no apparent support for SBOM generation:
  • Hunter: A CMake driven cross-platform package manager for C/C++ projects.

  • Xrepo: A cross-platform build system designed for efficiently compiling and managing C, C++, and other programming language projects.

  • Buckaroo: A cross-platform package manager that is tailored for complex C++ applications.

  • CPM: A cross-platform CMake script that adds dependency management capabilities to CMake.
Note that several of these package managers are tailored for CMake projects, so they could exploit the CMake SBOM generation capability.

Automating SBOM Generation in CMake

The cmake-sbom project supports the generation of SBOMs for an arbitrary CMake project. Specifically, this project automates two tasks:
  1. Extracting version information from Git, and pass it to CMake, shell scripts and C/C++; and

  2. Generate a SBOM in SPDX format, based on install artifacts.
This package includes a simple example, where SBOM data is explicitly added for:
  • Build targets

  • Files that include SBOM information
Thus, this project supports the automation of SBOMs for a software project, but developers need to explicitly indicate the information that is included in the SBOMs.

Comments

Post a Comment

Popular posts from this blog

Python Plugin Frameworks

Updated to include pointers to the PyUtilib Component Architecture and PnP. Various Python projects I am working on could benefit from the use of a Plug-in framework.  However, there does not appear to be a standard Python plug-in framework, though there are some mature packages that support plug-ins. Here's a summary of my recent web research: yapsy - This is a simple plug-in framework that was designed specifically to support plug-ins with no external dependencies. Mary Alchin describes a simple plugin framework , with a similar goal.  His classes provide an API for the plugins, with few supporting features (e.g. searching for plugins). AndrĂ© Roberge has a series of posts that describe the application of plugins to refactor a simple calculator application.  The goal of this is to illustrate the requirements for plugin frameworks, with the goal of identifying best practices for plugins. There are some interesting replies to this post, which consider implementations of the
Read more

Using AsciiDoc for Mathematical Publications

Technical writing is an integral part of my research in computer science and operations research. I have a long history using LaTeX, which is very well suited for writing technical articles that contain mathematical equations as well as code snippets. Although LaTeX can readily generate postscript and PDF output files, I have been unimpressed with tools that generate HTML from LaTeX source. Thus, I was intrigued by AsciiDoc , which promises to generate PDF, HTML and eBook formats. AsciiDoc is used to provide online documentation for software projects, and authors can publish book through O'Rielly using this tool. Thus, this is a well-developed document generation tool. I have successfully prototyped a draft book, Getting Started with Coopr , and you can browse the subversion repository for this document here . Note that the Makefile file specifies build targets for PDF, HTML and eBook files. The advantage of AsciiDoc is that you can use a simple markup language to generate
Read more

A Different Model for Writing Blog Posts

This is a blog that I have been meaning to write for some time.   I occasionally take a look at the download statistics for this blog, and recently I was prompted to do this by other bloggers who were reporting their end-of-year statistics (e.g. see Laura McLay’s review of the Punk Rock OR blog ). Unlike Laura, I do not have impressive download statistics to report about the many blogs I have written in 2011; frankly, I did not create many posts. However, an interesting pattern has emerged regarding this blog’s readership:   there are a few key blog posts that are frequently downloaded.   For example, my most frequently downloaded blog post is a survey of Python plugin software, which I wrote in 2009.   I suspect that other bloggers have seen the same thing; they have a few posts that are very popular because people do web searches on that topic.   However, it is worth stepping back and thinking about the implications of this when writing a blog. When I first started b
Read more