Last November I wrote about The C conundrum as there’s so much C code that needs SBOMs, but there was no straightforward way to generate them.
Conan got a mention, but at the time wasn’t working as hoped.
Thankfully things have improved since then, which means that Conan provides a viable route to generating SBOMs for C (and C++) projects.
The most crucial change is that SBOM generation tools like Aqua’s
Trivy can now generate reasonable output from Conan lock
files. That in turn means that sbomify can use a conan.lock
file in the same
way it would use a lock file for any other package manager.
The Conan documentation and tutorial have improved dramatically, which makes it much easier to get started.
It’s relatively straightforward to ‘bolt on’ a conanfile.py
to a project and
use it to describe dependencies. A conan.lock
can then be generated and
used as the basis of an SBOM. The only problem is that any changes to the
project dependencies need to be (manually) updated in the Conan file.
A more integrated approach means going all in on Conan, and using it to
generate configuration and build descriptions like CMakeLists.txt
.
Conan is very capable and flexible, and an easy win for a green field project.
But the 6.5 billion lines of open source C out there are testament to a huge
brown field problem. There’s been huge investment in the existing config and
build systems for those projects, encapsulated in CMake, GNU Autotools, and
many other systems. Refactoring those projects into Conan will require deep
understanding of the existing tool chain, and how Conan generates builds.
We might wish for an AI magic wand to make the transition easy, but it seems
to be a task that’s beyond the present generation of coding assistants.
As regulatory pressure from the EU Cyber Resilience Act (CRA) and other mandates mounts there’s going to be increasing interest in getting SBOMs for C stuff. Conan can be used as a ‘bolt on’ workaround, and with increased adoption and familiarity may become the de facto way of doing things. At least for everything that lies outside of other package ecosystems like Yocto and Zephyr.
This is a guest post from Chris Swan, an advisor at sbomify and an Engineer at Atsign who are an early adopter of sbomify.
Found an error or typo? File PR against this file.