Struggles with making SBOMs for C apps
- Track: Software Bill of Materials (SBOM)
- Room: H.2213
- Day: Sunday
- Start: 12:40
- End: 13:00
- Video only: h2213
- Chat: Join the conversation!
Making SBOMs for modern languages is easy - point a tool at the lock file, crank the handle, almost done (apart from all that pesky NTIA stuff). But C presents challenges as there's no widely used package manager to serve up log files, and many tools over promise and under delivery. This talk will run through various attempts to create SBOMs for a C project, and why the tools proved inadequate. It will also take a brief look at projects like Yocto where getting SBOMs for C stuff is working.
Speakers
 |
Chris Swan |
Links
- sbomify guest post "The C conundrum - generating SBOMs when there's no lockfile"
- NoPorts repo where SBOMs are generated for Dart and Python, but not yet C
- Yocto project - Creating a Software Bill of Materials
- Trivy - the scanner that's used in sbomify to generate SBOMs from lock files
- Syft - A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems
- Conan, software package manager for C and C++ developers
- sbomify GitHub Action