You are viewing the 2025 edition of FOSDEM. Click here to view the 2026 edition
Struggles with making SBOMs for C apps
H.2213 | Day 2 | 12:40 - 13:00 | Speakers: Chris Swan
Struggles with making SBOMs for C apps
Abstract
Making SBOMs for modern languages is easy - point a tool at the lock file, crank the handle, almost done (apart from all that pesky NTIA stuff). But C presents challenges as there's no widely used package manager to serve up log files, and many tools over promise and under deliver. This talk will run through various attempts to create SBOMs for a C project, and why the tools proved inadequate. It will also take a brief look at projects like Yocto where getting SBOMs for C stuff is working.
Attachments
Speakers
Chris Swan
Links
- sbomify guest post "The C conundrum - generating SBOMs when there's no lockfile"
- NoPorts repo where SBOMs are generated for Dart and Python, but not yet C
- Yocto project - Creating a Software Bill of Materials
- Trivy - the scanner that's used in sbomify to generate SBOMs from lock files
- Syft - A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems
- Conan, software package manager for C and C++ developers
- sbomify GitHub Action
- Video recording (AV1/WebM) - 90.9 MB
- Video recording (MP4) - 376.5 MB
- Video recording subtitle file (VTT)
- Chat room(web)
- Chat room(app)
- Submit Feedback
External Links
Notice: The placeholder video image is licensed under CC BY-SA 4.0. The original image can be found hereChanges made to the image are: Cropped the image to a new ratio, part of the image was cut off.