xmake icon indicating copy to clipboard operation
xmake copied to clipboard
verified publisher icon xmake-io

Add CycloneDX SBOM generation

Open seffradev opened this issue 8 months ago • 1 comments

Is your feature request related to a problem? Please describe.

Cybersecurity issues appear more and more frequently. Part in addressing these issues, proper documentation of the software supply chain, provides a better overview of possible security concerns. OWASP Foundation and Ecma International propose a specification format called CycloneDX which is a framework for standardizing documentation of the software supply chain through a Software Bill of Materials (SBOM).

Now, Xmake can't on its own provide a full SBOM but it already contains valuable information about our projects and their dependencies, which can be collected, and by adding functions for additional metadata it can assist in generating huge chunks of the expected details in a bill of materials. In the future, additional tools describing other parts of the SBOM could integrate with this feature to provide a fuller SBOM.

Describe the solution you'd like

I would like a command that generates a CycloneDX-compliant SBOM of a selected target, or all targets, through a singular command, e.g. xmake sbom which defaults to the default target, xmake sbom -t <target> and xmake sbom --all.

If additional specifications for the format of the SBOM would be preferred, I'd suggest extending the sbom command with a --specification=<specification> option (-s for short), where cyclonedx would be one of the possible specifications (and maybe spdx for SPDX support).

Since CycloneDX also has specifications in XML and Protobuf formats, an additional option --format=<format> (-f for short) (where JSON may be default) could be provided.

Describe alternatives you've considered

I list below the alternatives I've been recommended to check out and what features I deem is missing. I may be wrong with some details, so please correct me.

Xmake features:

  • [x] Full package dependency listing for entire project (xmake show -l packages)
  • [x] Singular target shows direct dependencies (xmake show -t <target>)
  • [ ] Singular target should show transitive dependencies (dependencies of dependencies)
  • [ ] Project and target dependency lists should be printable in JSON format (in my opinion, in accordance with the CycloneDX specification)

Additional context

The European Union have introduced the Cyber Resilience Act which aims to improve the transparency of software vulnerabilities and puts cybersecurity (primarily for consumers that use software) as a priority. This puts requirements on software manufacturers throughout the entire software supply chain. While the act will come in full effect by December 2027, the EU has conformance steps where one part is to provide an SBOM by September 2026.

seffradev avatar Apr 22 '25 09:04 seffradev

I don't know about SBOM, and I don't know how it is related to the build system. You can use task to write a custom plugin xmake sbom to generate the information you need.

waruqi avatar Apr 23 '25 06:04 waruqi