|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +comments: false |
| 4 | +title: "What’s Your C/C++ Code Made Of? The Importance of the Software Bill of Materials" |
| 5 | +meta_title: "Native use of CycloneDX SBOMs in your C/C++ projects" |
| 6 | +description: "Discover the importance of SBOMs for your software and learn how to easily generate them using Conan" |
| 7 | +keywords: "C++, C, CRA, SBOM, SBOMs, CycloneDX, SPDX, Cybersecurity" |
| 8 | +--- |
| 9 | + |
| 10 | +In today’s world, software is woven into almost every aspect of our lives, making security a fundamental priority. This |
| 11 | +is where the Software Bill of Materials (SBOM) comes into play! Think of the SBOM as an ingredient list for software. |
| 12 | +Just as we want to know what’s in our food, we also need to be aware of what components are used in our applications. |
| 13 | +An **SBOM provides a detailed list of all the components and libraries that make up a piece of software**, allowing |
| 14 | +organizations to identify vulnerabilities and manage risks more effectively. |
| 15 | + |
| 16 | +As organizations prepare for the implementation of Cybersecurity Risk Assessment (CRA) frameworks, having an SBOM in |
| 17 | +place becomes even more crucial. Recently, a [European initiative](https://www.european-cyber-resilience-act.com/) has been launched to enhance the security and |
| 18 | +transparency of software components across the continent. The CRA emphasizes the importance of understanding and |
| 19 | +managing the security of software components, making SBOMs a key asset in this effort. |
| 20 | + |
| 21 | +To align with this initiative, organizations are encouraged to **adopt standards such as CycloneDX 1.4, or SPDX 2.3 or |
| 22 | +greater** for generating their SBOMs. These standards provide comprehensive guidelines for representing and sharing |
| 23 | +software component information effectively. With an SBOM, not only does transparency improve, but security is also |
| 24 | +strengthened by enabling quick responses to potential threats. Organizations that proactively embrace SBOMs will be |
| 25 | +better positioned to comply with CRA requirements and enhance their overall security posture. |
| 26 | + |
| 27 | +## Is there a standard for SBOM? |
| 28 | + |
| 29 | +As the need for a Software Bill of Materials has become more evident, several standards have emerged to help |
| 30 | +organizations implement it effectively. Here are some of the most commonly used: |
| 31 | + |
| 32 | +* **CycloneDX**: This is a lightweight and highly interoperable [SBOM standard](https://cyclonedx.org/docs/1.4/json/) that |
| 33 | +focuses on software security and integrity. It is designed to be readable by both humans and machines, using JSON or |
| 34 | +XML. This makes it particularly useful in the context of DevSecOps, as it allows for continuous integration and |
| 35 | +vulnerability management. |
| 36 | + |
| 37 | +* **SPDX** (Software Package Data Exchange): This open standard facilitates the exchange of information about software |
| 38 | +licenses and components. It enables organizations to effectively document the libraries and dependencies used in their |
| 39 | +projects, serving as a valuable tool for risk management. |
| 40 | + |
| 41 | +## Can Conan generate the SBOM with my dependencies? |
| 42 | + |
| 43 | +Yes, Conan can indeed generate a Software Bill of Materials (SBOM) and can do it using **CycloneDX 1.4 natively**. Conan provides a `conan.tools.sbom` set of tools that makes SBOM creation easy. These tools can be used |
| 44 | +in recipes, custom commands, deployers, or hooks. |
| 45 | +Let’s make an example using a [`post_package` hook](https://docs.conan.io/2/reference/extensions/hooks.html), here is the code: |
| 46 | + |
| 47 | +```python |
| 48 | +import json |
| 49 | +import os |
| 50 | +from conan.api.output import ConanOutput |
| 51 | +from conan.tools.sbom import cyclonedx_1_4 |
| 52 | + |
| 53 | +def post_package(conanfile, **kwargs): |
| 54 | + sbom_cyclonedx_1_4 = cyclonedx_1_4(conanfile.subgraph) |
| 55 | + metadata_folder = conanfile.package_metadata_folder |
| 56 | + file_name = "sbom.cdx.json" |
| 57 | + with open(os.path.join(metadata_folder, file_name), 'w') as f: |
| 58 | + json.dump(sbom_cyclonedx_1_4, f, indent=4) |
| 59 | + ConanOutput().success(f"CYCLONEDX CREATED - {conanfile.package_metadata_folder}") |
| 60 | +``` |
| 61 | + |
| 62 | +The hook calculates the subgraph using `conanfile.subgraph` and gives it to our new `cyclonedx_1_4` function, which returns |
| 63 | +the SBOM in JSON format. So, we just have to save this content in a new file. We will put it inside the package metadata folder, |
| 64 | +this is what you want if you want to upload it to your server for future analysis, by using the metadata feature of Conan (See our previous [metadata blogpost here](https://blog.conan.io/2023/10/24/Conan-launches-metadata-files.html) to learn how to use the feature). |
| 65 | +This hook launches on `post_package`, it is perfect for generating our SBOM after every `conan create`. Here you can see |
| 66 | +an example of an `openssl` SBOM created with `Conan`: |
| 67 | + |
| 68 | +```javascript |
| 69 | +{ |
| 70 | + "components": [ |
| 71 | + { |
| 72 | + "author": "Conan", |
| 73 | + "bom-ref": "pkg:conan/openssl@3.0.15?rref=05e3fb00d6d340c1c241a7347f0a9ec9", |
| 74 | + "description": "A toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols", |
| 75 | + "externalReferences": [{"type": "website","url": "https://github.com/openssl/openssl"}], |
| 76 | + "licenses": [{"license": {"id": "Apache-2.0"}}], |
| 77 | + "name": "openssl", |
| 78 | + "purl": "pkg:conan/openssl@3.0.15", |
| 79 | + "type": "library", |
| 80 | + "version": "3.0.15" |
| 81 | + }, |
| 82 | + { |
| 83 | + "author": "Conan", |
| 84 | + "bom-ref": "pkg:conan/zlib@1.3.1?rref=f52e03ae3d251dec704634230cd806a2", |
| 85 | + "description": "A Massively Spiffy Yet Delicately Unobtrusive Compression Library (Also Free, Not to Mention Unencumbered by Patents)", |
| 86 | + "externalReferences": [{"type": "website", "url": "https://zlib.net"}], |
| 87 | + "licenses": [{"license": {"id": "Zlib"}}], |
| 88 | + "name": "zlib", |
| 89 | + "purl": "pkg:conan/zlib@1.3.1", |
| 90 | + "type": "library", |
| 91 | + "version": "1.3.1" |
| 92 | + } |
| 93 | + ], |
| 94 | + "dependencies": [ |
| 95 | + { |
| 96 | + "ref": "pkg:conan/openssl@3.0.15?rref=05e3fb00d6d340c1c241a7347f0a9ec9", |
| 97 | + "dependsOn": ["pkg:conan/zlib@1.3.1?rref=f52e03ae3d251dec704634230cd806a2"] |
| 98 | + }, |
| 99 | + { |
| 100 | + "ref": "pkg:conan/zlib@1.3.1?rref=f52e03ae3d251dec704634230cd806a2" |
| 101 | + } |
| 102 | + ], |
| 103 | + "metadata": { |
| 104 | + "component": { |
| 105 | + "author": "Conan", |
| 106 | + "bom-ref": "pkg:conan/zlib@1.3.1?rref=f52e03ae3d251dec704634230cd806a2", |
| 107 | + "name": "openssl/3.0.15: [HOOK - hook_sbom_cyclone.py] post_package()", |
| 108 | + "type": "library" |
| 109 | + }, |
| 110 | + "timestamp": "2025-02-04T10:52:09Z", |
| 111 | + "tools": [ |
| 112 | + { |
| 113 | + "externalReferences": [{"type": "website","url": "https://github.com/conan-io/conan"}], |
| 114 | + "name": "Conan-io" |
| 115 | + } |
| 116 | + ] |
| 117 | + }, |
| 118 | + "serialNumber": "urn:uuid:8ea61ad3-b6e2-44aa-97e3-f9614d670306", |
| 119 | + "bomFormat": "CycloneDX", |
| 120 | + "specVersion": "1.4", |
| 121 | + "version": 1 |
| 122 | +} |
| 123 | +``` |
| 124 | + |
| 125 | +As you can see, this standard simplifies the understanding of our software dependencies. |
| 126 | + |
| 127 | +## I need a custom SBOM for my software. Can Conan help me? |
| 128 | + |
| 129 | +Yes, Conan can certainly help you create a custom SBOM for your software! With the introduction of the new `subgraph` |
| 130 | +attribute in conanfiles, Conan provides a straightforward way to programmatically retrieve the dependencies of every individual |
| 131 | +package in a dependency graph. |
| 132 | + |
| 133 | +Using this `subgraph` property, you can access the complete dependency subgraph of the current package, which is essential for |
| 134 | +generating an accurate SBOM. The `subgraph` property includes a `serialize()` method that allows you to directly output its |
| 135 | +contents, making the process both efficient and easy. |
| 136 | + |
| 137 | +Here you can see an easy example of a hook using the `serialize()` method. Also, we save the SBOM in the package metadata folder |
| 138 | +to upload it to the server and keep it safe for future analysis. |
| 139 | + |
| 140 | +```python |
| 141 | +import json |
| 142 | +import os |
| 143 | +from conan.api.output import ConanOutput |
| 144 | + |
| 145 | +def post_package(conanfile, **kwargs): |
| 146 | + metadata_folder = conanfile.package_metadata_folder |
| 147 | + file_name = "sbom.conan.json" |
| 148 | + with open(os.path.join(metadata_folder, file_name), 'w') as f: |
| 149 | + json.dump(conanfile.subgraph.serialize(), f, indent=2) |
| 150 | + ConanOutput().success(f"CONAN SBOM CREATED - {conanfile.package_metadata_folder}") |
| 151 | +``` |
| 152 | + |
| 153 | +By leveraging this interface, you can customize your SBOM according to your specific requirements, ensuring that it |
| 154 | +includes all relevant data related to your dependencies. This capability not only enhances the transparency of your |
| 155 | +software supply chain, but also aids in better vulnerability management and compliance. |
| 156 | + |
| 157 | +## Conclusion |
| 158 | + |
| 159 | +SBOMs are becoming increasingly significant in the evolving landscape of software development. As vulnerabilities become |
| 160 | +more prevalent and regulatory requirements tighten, **SBOMs will be essential for enhancing transparency**, security, |
| 161 | +and compliance across the software supply chain. |
| 162 | + |
| 163 | +To prepare for this future, organizations must adopt SBOM practices proactively. This includes integrating SBOM |
| 164 | +generation and management into development workflows. By doing so, companies can swiftly identify and address security |
| 165 | +risks associated with their software dependencies. |
| 166 | + |
| 167 | +For C and C++ projects, Conan can help generate SBOMs that follow standards such as CycloneDX 1.4. Based on user feedback, other built-in |
| 168 | +formats will be prioritized. Please let us know about this or any other questions at our [GitHub webpage](https://github.com/conan-io/conan/issues). |
0 commit comments