Software Bill of Materials (SBOM)
Struggles with making SBOMs for C apps
Making SBOMs for modern languages is easy - point a tool at the lock file, crank the handle, almost done (apart from all that pesky NTIA stuff). But C presents challenges as there's no widely used package manager to serve up log files, and many tools over promise and under deliver. This talk will run through various attempts to create SBOMs for a C project, and why the tools proved inadequate. It will also take a brief look at projects like Yocto where getting SBOMs for C stuff is working.
sbomify guest post "The C conundrum - generating SBOMs when there's no lockfile"
NoPorts repo where SBOMs are generated for Dart and Python, but not yet C
Yocto project - Creating a Software Bill of Materials
Trivy - the scanner that's used in sbomify to generate SBOMs from lock files