Enhancing Swift’s Supply Chain Security: Build-time SBOM Generation in Swift Package Manager

A Software Bill of Materials (SBOM) provides a detailed inventory of software components in an artifact. SBOMs allow developers to improve the supply chain security of their Swift projects by analyzing direct and transitive dependencies for vulnerabilities. Currently, Swift Package Manager (SwiftPM) lacks built-in SBOM support, and developers must rely on third-party tools that can under- or over-represent package dependencies in a project, leading to a lack of critical information or too much noise.

This talk focuses on an in-development feature to integrate SBOM generation directly into the Swift toolchain. As a result of this upcoming integration, developers will be able to create industry-standard CycloneDX or SPDX SBOMs as part of their build, without additional configuration. We will delve into the design in which SwiftPM employs the resolved modules graph to generate accurate SBOMs that capture both package and product dependencies, and optionally incorporates SwiftBuild build system’s build graph to align the SBOM with build-time conditions.

Listeners will be introduced to the basics of SwiftPM, learn more about the upcoming SBOM generation design that leverages SwiftPM’s existing graph structures, and have the opportunity to provide feedback before the feature is released.