SBOMs for Scientific Software: C++

This is the second of a series of posts exploring the feasibility of generating Software Bills of Materials (SBOMs) for complex scientific software.

SBOMs provide a list of the components, libraries, and modules that are required to build a piece of software. The United States 2021 Executive Order on Cybersecurity highlights the role of SBOMs to support risk assessments for newly discovered vulnerabilities.  Further, the U.S. National Institute of Standards and Technology (NIST) released its Secure Software Development Framework, which requires SBOM information to be available for software.

My previous post explored the generation of SBOMs for both simple and complex python software packages.  A variety of tools have recently been developed that can create SBOMs for python software, which are relatively easy to install and apply. Standard python installation tools like pip and poetry capture much of the information needed to formulate SBOMs, so developers may not need to spend much effort to support SBOM generation for their python packages.

Unfortunately, it is currently much more challenging to automatically generate SBOMs for C++ and other compiled languages used in scientific computing. The key difference is that package managers are not widely used to build and install C++ software. Further, current package managers do not uniformly support the generation of SBOMs. Consequently, developers cannot generally assume that tools exist to automate the generation of an SBOM for their C++ library.

So, what can a C++ developer do to support the generation of SBOMs?

First, you can explore the use of a package manager, which naturally provides a context for automating the generation of SBOMs.  Alternatively, you can explore whether your current build system can be extended to generate SBOMs, though probably in a custom manner for each library. I review these options in the following two sections.

C++ Package Managers and SBOM Generation

C++ package managers have been around for decades, and there have been significant improvements in their ability to streamline workflows and reduce the burden of developers for complex software applications. The following package managers are highlighted in a recent review
  • vcpkg
    • This cross-platform C/C++ package manager is integrated into CMake and MSBuild (more here).
    • vcpkg generates a Software Bill of Materials (SBOM) based on the Software Package Data Exchange (SPDX) specification. It tracks information used to build a package, and aims to provide package consumers with software transparency and integrity.
    • See the vcpkg documentation and this microsoft blog post

  • conan
    • This cross-platform C/C++ package manager integrates with build systems like CMake, MSBuild, Makefiles, Meson and SCons.
    • Conan includes a new extension that creates an SBOM in CycloneDX format.

  • Spack
    • Spack supports package management for a variety of languages, including C, C++, Fortran, Python and R.
    • Spack was motivated by challenges associated with software development for parallel scientific computing applications, and it has strong support for configuration of compilers and target architectures.
    • The spack-sbom package provides a draft capability for generating SBOMs. However, this does not appear to be under active development.
A variety of other C++ package managers were included in the review that have no apparent support for SBOM generation:
  • Hunter: A CMake driven cross-platform package manager for C/C++ projects.

  • Xrepo: A cross-platform build system designed for efficiently compiling and managing C, C++, and other programming language projects.

  • Buckaroo: A cross-platform package manager that is tailored for complex C++ applications.

  • CPM: A cross-platform CMake script that adds dependency management capabilities to CMake.
Note that several of these package managers are tailored for CMake projects, so they could exploit the CMake SBOM generation capability.

Automating SBOM Generation in CMake

The cmake-sbom project supports the generation of SBOMs for an arbitrary CMake project. Specifically, this project automates two tasks:
  1. Extracting version information from Git, and pass it to CMake, shell scripts and C/C++; and

  2. Generate a SBOM in SPDX format, based on install artifacts.
This package includes a simple example, where SBOM data is explicitly added for:
  • Build targets

  • Files that include SBOM information
Thus, this project supports the automation of SBOMs for a software project, but developers need to explicitly indicate the information that is included in the SBOMs.

Comments

Popular posts from this blog

Python Plugin Frameworks

Using AsciiDoc for Mathematical Publications