Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
vcpkg generates a Software Bill of Materials (SBOM) based on the Software Package Data Exchange (SPDX) specification. It tracks important information used to build a package, such as source origin, and aims to provide package consumers with software transparency and integrity. See this blog post about SBOM and SPDX for more information.
vcpkg generates a SPDX file containing the SBOM information for each package
that is installed. The files are located in
<installed_dir>/<triplet>/share/<package name>/vcpkg.spdx.json. The
installation directory depends on whether vcpkg is running on manifest
mode or classic
mode. Since a package can have different
dependencies depending on the target platform, the generated files are separated
by triplet as well.
vcpkg specific fields
The following fields generated by vcpkg may appear in your SBOM depending on how your package is built.
name
Refers to the name of the document. This field contains the package name, triplet, version followed by the ABI hash used to identify the package.
SPDX Reference: Document name field
creationInfo
Refers to the creator of the document, vcpkg. The creators field contains vcpkg followed by the version.
SPDX Reference: Creator field
relationships
Contains information about the relationship between vcpkg SPDX elements. SPDXRef-port refers to the port, SPDXRef-file-N refers to each file in the port including the portfile.cmake and SPDXRef-binary refers to the binary package. In vcpkg, the binary package is generated by the port.
SPDX Reference: Relationships field
packages
Refers to each package generated by vcpkg. SPDXRef-port refers to the port, and SPDXRef-binary refers to the binary package, and SPDXRef-resource refers to any sources used in vcpkg's portfile. vcpkg heuristically generates source information from the portfile.cmake by parsing vcpkg_from_github, vcpkg_from_git, vcpkg_download_distfile and vcpkg_from_sourceforge calls.
SPDX Reference: Package information
files
Refers to each of the files in the port. It contains a relative path to the file and a checksum.
SPDX Reference: File information
CycloneDX support
vcpkg does not support the CycloneDX SBOM format out of the box. We recommend using the CycloneDX CLI tool to convert the SPDX JSON files generated by vcpkg to the CycloneDX format.
For example:
cyclonedx convert --input-file vcpkg.spdx.json --input-format spdxjson --output-format json --output-file <file>
Some vcpkg dependency information may be lost during conversion. Refer to the CycloneDX documentation for more details.
Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
