Using Conan for C SBOMs

Last November I wrote about The C conundrum as there’s so much C code that needs SBOMs, but there was no straightforward way to generate them.

Conan got a mention, but at the time wasn’t working as hoped.

Thankfully things have improved since then, which means that Conan provides a viable route to generating SBOMs for C (and C++) projects.

The most crucial change is that SBOM generation tools like Aqua’s Trivy can now generate reasonable output from Conan lock files. That in turn means that sbomify can use a conan.lock file in the same way it would use a lock file for any other package manager.

The Conan documentation and tutorial have improved dramatically, which makes it much easier to get started.

It’s relatively straightforward to ‘bolt on’ a conanfile.py to a project and use it to describe dependencies. A conan.lock can then be generated and used as the basis of an SBOM. The only problem is that any changes to the project dependencies need to be (manually) updated in the Conan file.

A more integrated approach means going all in on Conan, and using it to generate configuration and build descriptions like CMakeLists.txt. Conan is very capable and flexible, and an easy win for a green field project. But the 6.5 billion lines of open source C out there are testament to a huge brown field problem. There’s been huge investment in the existing config and build systems for those projects, encapsulated in CMake, GNU Autotools, and many other systems. Refactoring those projects into Conan will require deep understanding of the existing tool chain, and how Conan generates builds. We might wish for an AI magic wand to make the transition easy, but it seems to be a task that’s beyond the present generation of coding assistants.

As regulatory pressure from the EU Cyber Resilience Act (CRA) and other mandates mounts there’s going to be increasing interest in getting SBOMs for C stuff. Conan can be used as a ‘bolt on’ workaround, and with increased adoption and familiarity may become the de facto way of doing things. At least for everything that lies outside of other package ecosystems like Yocto and Zephyr.

This is a guest post from Chris Swan, an advisor at sbomify and an Engineer at Atsign who are an early adopter of sbomify.