From ee0698e92ff26122f57973643bba2444c83f362f Mon Sep 17 00:00:00 2001 From: Ernesto de Gracia Herranz Date: Wed, 5 Feb 2025 12:22:08 +0100 Subject: [PATCH 01/21] Create 2025-02-05-What-is-your-code-made-of-sboms.markdown --- ...5-What-is-your-code-made-of-sboms.markdown | 169 ++++++++++++++++++ 1 file changed, 169 insertions(+) create mode 100644 _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown diff --git a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown new file mode 100644 index 00000000..fcc70e58 --- /dev/null +++ b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown @@ -0,0 +1,169 @@ +--- +layout: post +comments: false +title: "What’s Your C/C++ Code Made Of? The Importance of Software Bill of Materials" +meta_title: "Native use of CycloneDX SBOMs on you C/C++ projects" +description: "Discover the importance of SBOMs for your software and learn how to easily generate them using Conan" +keywords: "C++, C, CRA, SBOM, SBOMs, CycloneDX, SPDX, Cybersecurity" +--- + +In today’s world, software is woven into almost every aspect of our lives, making security a fundamental priority. This +is where the Software Bill of Materials (SBOM) comes into play! Think of the SBOM as an ingredient list for software. +Just as we want to know what’s in our food, we also need to be aware of what components are used in our applications. +An **SBOM provides a detailed list of all the components and libraries that make up a piece of software**, allowing +organizations to identify vulnerabilities and manage risks more effectively. + +As organizations prepare for the implementation of Cybersecurity Risk Assessment (CRA) frameworks, having an SBOM in +place becomes even more crucial. Recently, a European initiative has been launched to enhance the security and +transparency of software components across the continent. The CRA emphasizes the importance of understanding and +managing the security of software components, making SBOMs a key asset in this effort. + +To align with this initiative, organizations are encouraged to **adopt standards such as CycloneDX 1.4 or SPDX 2.3 or +greater** for generating their SBOMs. These standards provide comprehensive guidelines for representing and sharing +software component information effectively. With an SBOM, not only does transparency improve, but security is also +strengthened by enabling quick responses to potential threats. Organizations that proactively embrace SBOMs will be +better positioned to comply with CRA requirements and enhance their overall security posture. + +## Is there a standard for SBOM? + +As the need for a Software Bill of Materials has become more evident, several standards have emerged to help +organizations implement it effectively. Here are some of the most commonly used: + +* **CycloneDX**: This is a lightweight and highly interoperable [SBOM standard](https://cyclonedx.org/docs/1.4/json/) that +focuses on software security and integrity. It is designed to be readable by both humans and machines, using JSON or +XML. This makes it particularly useful in the context of DevSecOps, as it allows for continuous integration and +vulnerability management. + +* **SPDX** (Software Package Data Exchange): This open standard facilitates the exchange of information about software +licenses and components. It enables organizations to effectively document the libraries and dependencies used in their +projects, serving as a valuable tool for risk management. + +## Can conan generate the SBOM with my dependencies? + +Yes, Conan can indeed generate a Software Bill of Materials (SBOM) and can do it using **CycloneDX 1.4 natively**. Conan +tools feature a `from conan.tools.sbom` set of tools that allows the creation of SBOMs easily. These tools can be used +in recipes, custom commands, deployers, or hooks. +Let’s make an example using a hook, here is the code: + +```python +import json +import os +from conan.api.output import ConanOutput +from conan.tools.sbom import cyclonedx_1_4 + +def post_package(conanfile, **kwargs): + sbom_cyclonedx_1_4 = cyclonedx_1_4(conanfile.subgraph) + metadata_folder = conanfile.package_metadata_folder + file_name = "sbom.cdx.json" + with open(os.path.join(metadata_folder, file_name), 'w') as f: + json.dump(sbom_cyclonedx_1_4, f, indent=4) + ConanOutput().success(f"CYCLONEDX CREATED - {conanfile.package_metadata_folder}") +``` + +The hook calculates the subgraph using `conanfile.subgraph` and gives it to our new `cyclonedx_1_4` function. It returns +the SBOM in JSON format. So, we just have to save this content in a new file. We will put it inside the metadata folder, +this is what you want if you want to upload it to your server for future analysis. +This hook launches on `post_package`, it is perfect for generating our SBOM after every `conan create`. Here you can see +an example of a `openssl` SBOM created with `Conan`: + +```javascript +{ + "components": [ + { + "author": "Conan", + "bom-ref": "pkg:conan/openssl@3.0.15?rref=05e3fb00d6d340c1c241a7347f0a9ec9", + "description": "A toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols", + "externalReferences": [{"type": "website","url": "https://github.com/openssl/openssl"}], + "licenses": [{"license": {"id": "Apache-2.0"}}], + "name": "openssl", + "purl": "pkg:conan/openssl@3.0.15", + "type": "library", + "version": "3.0.15" + }, + { + "author": "Conan", + "bom-ref": "pkg:conan/zlib@1.3.1?rref=f52e03ae3d251dec704634230cd806a2", + "description": "A Massively Spiffy Yet Delicately Unobtrusive Compression Library (Also Free, Not to Mention Unencumbered by Patents)", + "externalReferences": [{"type": "website", "url": "https://zlib.net"}], + "licenses": [{"license": {"id": "Zlib"}}], + "name": "zlib", + "purl": "pkg:conan/zlib@1.3.1", + "type": "library", + "version": "1.3.1" + } + ], + "dependencies": [ + { + "ref": "pkg:conan/openssl@3.0.15?rref=05e3fb00d6d340c1c241a7347f0a9ec9", + "dependsOn": ["pkg:conan/zlib@1.3.1?rref=f52e03ae3d251dec704634230cd806a2"] + }, + { + "ref": "pkg:conan/zlib@1.3.1?rref=f52e03ae3d251dec704634230cd806a2" + } + ], + "metadata": { + "component": { + "author": "Conan", + "bom-ref": "pkg:conan/zlib@1.3.1?rref=f52e03ae3d251dec704634230cd806a2", + "name": "openssl/3.0.15: [HOOK - hook_sbom_cyclone.py] post_package()", + "type": "library" + }, + "timestamp": "2025-02-04T10:52:09Z", + "tools": [ + { + "externalReferences": [{"type": "website","url": "https://github.com/conan-io/conan"}], + "name": "Conan-io" + } + ] + }, + "serialNumber": "urn:uuid:8ea61ad3-b6e2-44aa-97e3-f9614d670306", + "bomFormat": "CycloneDX", + "specVersion": "1.4", + "version": 1 +} +``` + +As you can see, this standard simplifies understanding our software's dependencies. + +## I need a custom SBOM for my software. Can Conan help me? + +Yes, Conan can certainly help you create a custom SBOM for your software! With the introduction of the new `subgraph` +interface, Conan provides a straightforward way to programmatically retrieve the dependencies of every individual +package in a dependency graph. + +Using this `subgraph` , you can access the complete dependency subgraph of the current package, which is essential for +generating an accurate SBOM. The `subgraph` features a `serialize()` method that allows you to directly output its +contents, making the process both efficient and easy. + +Here you can see an easy example of a hook using the `serialize()` method. Also, we save the SBOM in the metadata folder +to upload it to the server and keep it safe for future analysis. + +```python +import json +import os +from conan.api.output import ConanOutput + +def post_package(conanfile, **kwargs): + metadata_folder = conanfile.package_metadata_folder + file_name = "sbom.conan.json" + with open(os.path.join(metadata_folder, file_name), 'w') as f: + json.dump(conanfile.subgraph.serialize(), f, indent=2) + ConanOutput().success(f"CONAN SBOM CREATED - {conanfile.package_metadata_folder}") +``` + +By leveraging this interface, you can customize your SBOM according to your specific requirements, ensuring that it +includes all relevant data related to your dependencies. This capability not only enhances the transparency of your +software supply chain but also aids in better vulnerability management and compliance. + +## Conclusion + +SBOMs will become increasingly significant in the evolving landscape of software development. As vulnerabilities become +more prevalent and regulatory requirements tighten, **SBOMs will be essential for enhancing transparency**, security, +and compliance across the software supply chain. + +To prepare for this future, organizations must adopt SBOM practices proactively. This includes integrating SBOM +generation and management into development workflows. By doing so, companies can swiftly identify and address security +risks associated with their software dependencies. + +For C and C++ projects, Conan can help generate SBOMs such as CycloneDX 1.4. Based on user feedback, other built-in +formats will be prioritized. Please let us know about this or any other questions at our [GitHub webpage](https://github.com/conan-io/conan/issues). From 49a65e939b160d108214b5615317ec2b2d5c310b Mon Sep 17 00:00:00 2001 From: Ernesto de Gracia Herranz Date: Wed, 5 Feb 2025 12:48:45 +0100 Subject: [PATCH 02/21] Update _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Abril Rincón Blanco <5364255+AbrilRBS@users.noreply.github.com> --- _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown index fcc70e58..3df333c5 100644 --- a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown +++ b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown @@ -18,7 +18,7 @@ place becomes even more crucial. Recently, a European initiative has been launch transparency of software components across the continent. The CRA emphasizes the importance of understanding and managing the security of software components, making SBOMs a key asset in this effort. -To align with this initiative, organizations are encouraged to **adopt standards such as CycloneDX 1.4 or SPDX 2.3 or +To align with this initiative, organizations are encouraged to **adopt standards such as CycloneDX 1.4, or SPDX 2.3 or greater** for generating their SBOMs. These standards provide comprehensive guidelines for representing and sharing software component information effectively. With an SBOM, not only does transparency improve, but security is also strengthened by enabling quick responses to potential threats. Organizations that proactively embrace SBOMs will be From ed7e20ed9a262b5c14b7e540f785584184b9030d Mon Sep 17 00:00:00 2001 From: Ernesto de Gracia Herranz Date: Wed, 5 Feb 2025 12:49:43 +0100 Subject: [PATCH 03/21] Update _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Abril Rincón Blanco <5364255+AbrilRBS@users.noreply.github.com> --- _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown index 3df333c5..1e22a666 100644 --- a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown +++ b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown @@ -38,7 +38,7 @@ vulnerability management. licenses and components. It enables organizations to effectively document the libraries and dependencies used in their projects, serving as a valuable tool for risk management. -## Can conan generate the SBOM with my dependencies? +## Can Conan generate the SBOM with my dependencies? Yes, Conan can indeed generate a Software Bill of Materials (SBOM) and can do it using **CycloneDX 1.4 natively**. Conan tools feature a `from conan.tools.sbom` set of tools that allows the creation of SBOMs easily. These tools can be used From 24fdcc253f539a979b52ab5a39db1b1bc849d18c Mon Sep 17 00:00:00 2001 From: Ernesto de Gracia Herranz Date: Wed, 5 Feb 2025 12:49:56 +0100 Subject: [PATCH 04/21] Update _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Abril Rincón Blanco <5364255+AbrilRBS@users.noreply.github.com> --- _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown index 1e22a666..eb5a385f 100644 --- a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown +++ b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown @@ -60,7 +60,7 @@ def post_package(conanfile, **kwargs): ConanOutput().success(f"CYCLONEDX CREATED - {conanfile.package_metadata_folder}") ``` -The hook calculates the subgraph using `conanfile.subgraph` and gives it to our new `cyclonedx_1_4` function. It returns +The hook calculates the subgraph using `conanfile.subgraph` and gives it to our new `cyclonedx_1_4` function, which returns the SBOM in JSON format. So, we just have to save this content in a new file. We will put it inside the metadata folder, this is what you want if you want to upload it to your server for future analysis. This hook launches on `post_package`, it is perfect for generating our SBOM after every `conan create`. Here you can see From 28f1c2bade5469c166644130b73c311bd50c953a Mon Sep 17 00:00:00 2001 From: Ernesto de Gracia Herranz Date: Wed, 5 Feb 2025 12:50:11 +0100 Subject: [PATCH 05/21] Update _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Abril Rincón Blanco <5364255+AbrilRBS@users.noreply.github.com> --- _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown index eb5a385f..dd21c1a2 100644 --- a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown +++ b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown @@ -61,7 +61,7 @@ def post_package(conanfile, **kwargs): ``` The hook calculates the subgraph using `conanfile.subgraph` and gives it to our new `cyclonedx_1_4` function, which returns -the SBOM in JSON format. So, we just have to save this content in a new file. We will put it inside the metadata folder, +the SBOM in JSON format. So, we just have to save this content in a new file. We will put it inside the package metadata folder, this is what you want if you want to upload it to your server for future analysis. This hook launches on `post_package`, it is perfect for generating our SBOM after every `conan create`. Here you can see an example of a `openssl` SBOM created with `Conan`: From cce250f39296d5177f75ec90b8f5ca3c866150fe Mon Sep 17 00:00:00 2001 From: Ernesto de Gracia Herranz Date: Wed, 5 Feb 2025 12:50:32 +0100 Subject: [PATCH 06/21] Update _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Abril Rincón Blanco <5364255+AbrilRBS@users.noreply.github.com> --- _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown index dd21c1a2..df46e1e1 100644 --- a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown +++ b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown @@ -43,7 +43,7 @@ projects, serving as a valuable tool for risk management. Yes, Conan can indeed generate a Software Bill of Materials (SBOM) and can do it using **CycloneDX 1.4 natively**. Conan tools feature a `from conan.tools.sbom` set of tools that allows the creation of SBOMs easily. These tools can be used in recipes, custom commands, deployers, or hooks. -Let’s make an example using a hook, here is the code: +Let’s make an example using a [`post_package` hook](https://docs.conan.io/2/reference/extensions/hooks.html), here is the code: ```python import json From 9b2924a5079c817c5891dca28d1afeadf6dd74e6 Mon Sep 17 00:00:00 2001 From: Ernesto de Gracia Herranz Date: Wed, 5 Feb 2025 12:51:15 +0100 Subject: [PATCH 07/21] Update _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Abril Rincón Blanco <5364255+AbrilRBS@users.noreply.github.com> --- _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown index df46e1e1..2d32cd76 100644 --- a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown +++ b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown @@ -128,7 +128,7 @@ As you can see, this standard simplifies understanding our software's dependenci ## I need a custom SBOM for my software. Can Conan help me? Yes, Conan can certainly help you create a custom SBOM for your software! With the introduction of the new `subgraph` -interface, Conan provides a straightforward way to programmatically retrieve the dependencies of every individual +attribute in conanfiles, Conan provides a straightforward way to programmatically retrieve the dependencies of every individual package in a dependency graph. Using this `subgraph` , you can access the complete dependency subgraph of the current package, which is essential for From fc195934a7d26f824640134bc360c0c60d5f9bcb Mon Sep 17 00:00:00 2001 From: Ernesto de Gracia Herranz Date: Wed, 5 Feb 2025 12:55:10 +0100 Subject: [PATCH 08/21] Update _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Abril Rincón Blanco <5364255+AbrilRBS@users.noreply.github.com> --- _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown index 2d32cd76..a9896aeb 100644 --- a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown +++ b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown @@ -132,7 +132,7 @@ attribute in conanfiles, Conan provides a straightforward way to programmaticall package in a dependency graph. Using this `subgraph` , you can access the complete dependency subgraph of the current package, which is essential for -generating an accurate SBOM. The `subgraph` features a `serialize()` method that allows you to directly output its +generating an accurate SBOM. The `subgraph` property features a `serialize()` method that allows you to directly output its contents, making the process both efficient and easy. Here you can see an easy example of a hook using the `serialize()` method. Also, we save the SBOM in the metadata folder From 96b47aa03c0e2311d3c956cd51996c7305f6bc15 Mon Sep 17 00:00:00 2001 From: Ernesto de Gracia Herranz Date: Wed, 5 Feb 2025 12:55:22 +0100 Subject: [PATCH 09/21] Update _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Abril Rincón Blanco <5364255+AbrilRBS@users.noreply.github.com> --- _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown index a9896aeb..dc35534e 100644 --- a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown +++ b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown @@ -135,7 +135,7 @@ Using this `subgraph` , you can access the complete dependency subgraph of the c generating an accurate SBOM. The `subgraph` property features a `serialize()` method that allows you to directly output its contents, making the process both efficient and easy. -Here you can see an easy example of a hook using the `serialize()` method. Also, we save the SBOM in the metadata folder +Here you can see an easy example of a hook using the `serialize()` method. Also, we save the SBOM in the package metadata folder to upload it to the server and keep it safe for future analysis. ```python From 83dada3be731a54e58581e887f3d30c61dbe2ec1 Mon Sep 17 00:00:00 2001 From: Ernesto de Gracia Herranz Date: Wed, 5 Feb 2025 12:55:30 +0100 Subject: [PATCH 10/21] Update _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Abril Rincón Blanco <5364255+AbrilRBS@users.noreply.github.com> --- _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown index dc35534e..51d544c6 100644 --- a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown +++ b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown @@ -153,7 +153,7 @@ def post_package(conanfile, **kwargs): By leveraging this interface, you can customize your SBOM according to your specific requirements, ensuring that it includes all relevant data related to your dependencies. This capability not only enhances the transparency of your -software supply chain but also aids in better vulnerability management and compliance. +software supply chain, but also aids in better vulnerability management and compliance. ## Conclusion From b158039ab1db6ae4f488ab9a9cf5f5ad0c3608f0 Mon Sep 17 00:00:00 2001 From: Ernesto de Gracia Herranz Date: Wed, 5 Feb 2025 12:55:47 +0100 Subject: [PATCH 11/21] Update _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Abril Rincón Blanco <5364255+AbrilRBS@users.noreply.github.com> --- _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown index 51d544c6..851df706 100644 --- a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown +++ b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown @@ -165,5 +165,5 @@ To prepare for this future, organizations must adopt SBOM practices proactively. generation and management into development workflows. By doing so, companies can swiftly identify and address security risks associated with their software dependencies. -For C and C++ projects, Conan can help generate SBOMs such as CycloneDX 1.4. Based on user feedback, other built-in +For C and C++ projects, Conan can help generate SBOMs that follow standards such as CycloneDX 1.4. Based on user feedback, other built-in formats will be prioritized. Please let us know about this or any other questions at our [GitHub webpage](https://github.com/conan-io/conan/issues). From 9908dc73ad2ce9ee707008ffc1f320e0b4a8dcff Mon Sep 17 00:00:00 2001 From: Ernesto de Gracia Herranz Date: Wed, 5 Feb 2025 12:58:31 +0100 Subject: [PATCH 12/21] Update _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown --- _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown index 851df706..6b7f77eb 100644 --- a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown +++ b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown @@ -14,7 +14,7 @@ An **SBOM provides a detailed list of all the components and libraries that make organizations to identify vulnerabilities and manage risks more effectively. As organizations prepare for the implementation of Cybersecurity Risk Assessment (CRA) frameworks, having an SBOM in -place becomes even more crucial. Recently, a European initiative has been launched to enhance the security and +place becomes even more crucial. Recently, a [European initiative](https://www.european-cyber-resilience-act.com/) has been launched to enhance the security and transparency of software components across the continent. The CRA emphasizes the importance of understanding and managing the security of software components, making SBOMs a key asset in this effort. From d67d97896b3bf80a0fb09b6ae4ccef67ccc83029 Mon Sep 17 00:00:00 2001 From: Ernesto de Gracia Herranz Date: Wed, 5 Feb 2025 12:58:48 +0100 Subject: [PATCH 13/21] Update _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Abril Rincón Blanco <5364255+AbrilRBS@users.noreply.github.com> --- _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown index 6b7f77eb..8cae7bfb 100644 --- a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown +++ b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown @@ -64,7 +64,7 @@ The hook calculates the subgraph using `conanfile.subgraph` and gives it to our the SBOM in JSON format. So, we just have to save this content in a new file. We will put it inside the package metadata folder, this is what you want if you want to upload it to your server for future analysis. This hook launches on `post_package`, it is perfect for generating our SBOM after every `conan create`. Here you can see -an example of a `openssl` SBOM created with `Conan`: +an example of an `openssl` SBOM created with `Conan`: ```javascript { From bf2088ad8d6e41b0a15d836915581d6351e04ebc Mon Sep 17 00:00:00 2001 From: Ernesto de Gracia Herranz Date: Wed, 5 Feb 2025 12:59:12 +0100 Subject: [PATCH 14/21] Update _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Abril Rincón Blanco <5364255+AbrilRBS@users.noreply.github.com> --- _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown index 8cae7bfb..893ecd55 100644 --- a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown +++ b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown @@ -62,7 +62,7 @@ def post_package(conanfile, **kwargs): The hook calculates the subgraph using `conanfile.subgraph` and gives it to our new `cyclonedx_1_4` function, which returns the SBOM in JSON format. So, we just have to save this content in a new file. We will put it inside the package metadata folder, -this is what you want if you want to upload it to your server for future analysis. +this is what you want if you want to upload it to your server for future analysis, by using the metadata feature of Conan (See our previous [metadata blogpost here](https://blog.conan.io/2023/10/24/Conan-launches-metadata-files.html) to learn how to use the feature). This hook launches on `post_package`, it is perfect for generating our SBOM after every `conan create`. Here you can see an example of an `openssl` SBOM created with `Conan`: From 6898687074915787035715a62b67c8b4c1cca084 Mon Sep 17 00:00:00 2001 From: Ernesto de Gracia Herranz Date: Wed, 5 Feb 2025 12:59:22 +0100 Subject: [PATCH 15/21] Update _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Abril Rincón Blanco <5364255+AbrilRBS@users.noreply.github.com> --- _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown index 893ecd55..10ec08a7 100644 --- a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown +++ b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown @@ -123,7 +123,7 @@ an example of an `openssl` SBOM created with `Conan`: } ``` -As you can see, this standard simplifies understanding our software's dependencies. +As you can see, this standard simplifies the understanding of our software dependencies. ## I need a custom SBOM for my software. Can Conan help me? From f877bed4f3206af64734e8d56e4e3ac4ecf998eb Mon Sep 17 00:00:00 2001 From: Ernesto de Gracia Herranz Date: Wed, 5 Feb 2025 12:59:31 +0100 Subject: [PATCH 16/21] Update _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Abril Rincón Blanco <5364255+AbrilRBS@users.noreply.github.com> --- _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown index 10ec08a7..ec947204 100644 --- a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown +++ b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown @@ -131,7 +131,7 @@ Yes, Conan can certainly help you create a custom SBOM for your software! With t attribute in conanfiles, Conan provides a straightforward way to programmatically retrieve the dependencies of every individual package in a dependency graph. -Using this `subgraph` , you can access the complete dependency subgraph of the current package, which is essential for +Using this `subgraph` property, you can access the complete dependency subgraph of the current package, which is essential for generating an accurate SBOM. The `subgraph` property features a `serialize()` method that allows you to directly output its contents, making the process both efficient and easy. From 85605193cedd69260840be97c4d8a321ade1c8d4 Mon Sep 17 00:00:00 2001 From: Carlos Zoido Date: Wed, 5 Feb 2025 13:21:34 +0100 Subject: [PATCH 17/21] Update _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown --- _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown index ec947204..da15485f 100644 --- a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown +++ b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown @@ -1,7 +1,7 @@ --- layout: post comments: false -title: "What’s Your C/C++ Code Made Of? The Importance of Software Bill of Materials" +title: "What’s Your C/C++ Code Made Of? The Importance of the Software Bill of Materials" meta_title: "Native use of CycloneDX SBOMs on you C/C++ projects" description: "Discover the importance of SBOMs for your software and learn how to easily generate them using Conan" keywords: "C++, C, CRA, SBOM, SBOMs, CycloneDX, SPDX, Cybersecurity" From 7c4e96b8da58dafbf328e9f6773a1cc91e7013e9 Mon Sep 17 00:00:00 2001 From: Carlos Zoido Date: Wed, 5 Feb 2025 13:22:11 +0100 Subject: [PATCH 18/21] Update _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown --- _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown index da15485f..1b0f2dbd 100644 --- a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown +++ b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown @@ -2,7 +2,7 @@ layout: post comments: false title: "What’s Your C/C++ Code Made Of? The Importance of the Software Bill of Materials" -meta_title: "Native use of CycloneDX SBOMs on you C/C++ projects" +meta_title: "Native use of CycloneDX SBOMs in your C/C++ projects" description: "Discover the importance of SBOMs for your software and learn how to easily generate them using Conan" keywords: "C++, C, CRA, SBOM, SBOMs, CycloneDX, SPDX, Cybersecurity" --- From 61e525f19ff4bf2b4002940c59f039aeea7e8693 Mon Sep 17 00:00:00 2001 From: Carlos Zoido Date: Wed, 5 Feb 2025 13:24:35 +0100 Subject: [PATCH 19/21] Update _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown --- _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown index 1b0f2dbd..10077411 100644 --- a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown +++ b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown @@ -40,8 +40,7 @@ projects, serving as a valuable tool for risk management. ## Can Conan generate the SBOM with my dependencies? -Yes, Conan can indeed generate a Software Bill of Materials (SBOM) and can do it using **CycloneDX 1.4 natively**. Conan -tools feature a `from conan.tools.sbom` set of tools that allows the creation of SBOMs easily. These tools can be used +Yes, Conan can indeed generate a Software Bill of Materials (SBOM) and can do it using **CycloneDX 1.4 natively**. Conan provides a `conan.tools.sbom` set of tools that makes SBOM creation easy. These tools can be used in recipes, custom commands, deployers, or hooks. Let’s make an example using a [`post_package` hook](https://docs.conan.io/2/reference/extensions/hooks.html), here is the code: From 23f76ede413fed4cad72a6c94a2b05a478d9b208 Mon Sep 17 00:00:00 2001 From: Carlos Zoido Date: Wed, 5 Feb 2025 13:25:28 +0100 Subject: [PATCH 20/21] Update _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown --- _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown index 10077411..db18396a 100644 --- a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown +++ b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown @@ -131,7 +131,7 @@ attribute in conanfiles, Conan provides a straightforward way to programmaticall package in a dependency graph. Using this `subgraph` property, you can access the complete dependency subgraph of the current package, which is essential for -generating an accurate SBOM. The `subgraph` property features a `serialize()` method that allows you to directly output its +generating an accurate SBOM. The `subgraph` property includes a `serialize()` method that allows you to directly output its contents, making the process both efficient and easy. Here you can see an easy example of a hook using the `serialize()` method. Also, we save the SBOM in the package metadata folder From 0a9c462199e22a20588b031f56af65ac4a62df71 Mon Sep 17 00:00:00 2001 From: Carlos Zoido Date: Wed, 5 Feb 2025 13:26:11 +0100 Subject: [PATCH 21/21] Update _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown --- _posts/2025-02-05-What-is-your-code-made-of-sboms.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown index db18396a..fc1375dd 100644 --- a/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown +++ b/_posts/2025-02-05-What-is-your-code-made-of-sboms.markdown @@ -156,7 +156,7 @@ software supply chain, but also aids in better vulnerability management and comp ## Conclusion -SBOMs will become increasingly significant in the evolving landscape of software development. As vulnerabilities become +SBOMs are becoming increasingly significant in the evolving landscape of software development. As vulnerabilities become more prevalent and regulatory requirements tighten, **SBOMs will be essential for enhancing transparency**, security, and compliance across the software supply chain.