Add support for CMake as a package manager

[sschuberth]

Check whether cmake-file-api is suitable for gathering the necessary meta-data.

See here for a related question on StackOverflow.

[tsteenbe]

Maybe we should have a look how https://github.com/swinslow/cmake-spdx for ideas how to implement this. See also this related talk https://fosdem.org/2021/schedule/event/automating_creation_of_spdx_sbom/

[sschuberth]

@tsteenbe pointed out a new tool that we might be able to use here, https://github.com/trailofbits/it-depends, quote:

Support for C/C++ projects (both autootools and cmake)

[oliver]

I'd be interested in an analyzer for CMake projects as well.

The paper at https://arxiv.org/pdf/2209.02575.pdf claims that "CCScanner" (https://github.com/lkpsg/ccscanner) also supports scanning CMakeLists.txt files. So maybe that is another candidate for a tool that could be used here.

[sschuberth]

CCScanner indeed seems to support a bunch of extractors for build systems we're interested in, like Bazel, BUCK, build2 and Vcpkg. However, the implementation seems to (partly) rely on regex-matching and thus probably is a bit fragile.

[tsteenbe]

If you want to use ORT with CMake project we recommend to use ORT helper CLI to generate an ORT analyzer file from package flat-list as was introduced in bcaddf4#diff-41c5b84b6d482e514d89dc61e0b0b2a0e8ba236f9a63054c5f862db269cc0af7.

Example file can be found here helper-cli/src/funTest/assets/package-list.yml and to generate ORT analyzer file use ort/helper-cli/build/install/orth/bin/orth create-analyzer-result-from-package-list --package-list-file package-list.yml --ort-file analyzer.json.

See also the slides of the "Producing SBOMs for CMAKE projects using ORT's standard workflow" presentation from EPAM (@fviernau) and Zeiss at the ORT Community Days 2024

[sschuberth]

Closed as part of backlog grooming. Feel free to comment if you would like to contribute to this.