Skip to content

[spdx] Add installed package files to SPDX SBOM file #1744

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Aug 15, 2025
Merged

[spdx] Add installed package files to SPDX SBOM file #1744

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d589226
[spdx] Add installed package files to SPDX SBOM file
ekilmer Aug 1, 2025
7204450
Add AbiTagSbomInfo to track SBOM changes
ekilmer Aug 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions include/vcpkg/base/contractual-constants.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,6 @@ namespace vcpkg
// would use in other contexts.
inline constexpr StringLiteral SpdxCCZero = "CC0-1.0";
inline constexpr StringLiteral SpdxChecksumValue = "checksumValue";
inline constexpr StringLiteral SpdxContainedBy = "CONTAINED_BY";
inline constexpr StringLiteral SpdxContains = "CONTAINS";
inline constexpr StringLiteral SpdxCopyrightText = "copyrightText";
inline constexpr StringLiteral SpdxCreationInfo = "creationInfo";
Expand All @@ -135,7 +134,6 @@ namespace vcpkg
inline constexpr StringLiteral SpdxDownloadLocation = "downloadLocation";
inline constexpr StringLiteral SpdxElementId = "spdxElementId";
inline constexpr StringLiteral SpdxFileName = "fileName";
inline constexpr StringLiteral SpdxGeneratedFrom = "GENERATED_FROM";
inline constexpr StringLiteral SpdxGenerates = "GENERATES";
inline constexpr StringLiteral SpdxLicenseConcluded = "licenseConcluded";
inline constexpr StringLiteral SpdxLicenseDeclared = "licenseDeclared";
Expand Down
4 changes: 4 additions & 0 deletions include/vcpkg/spdx.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ namespace vcpkg
/// @param action Install action to be represented by this manifest
/// @param relative_paths Must contain relative paths of all files in the port directory (from the port directory)
/// @param hashes Must contain ordered hashes of `relative_paths`
/// @param relative_package_files Must contain relative paths of all files in the package directory
/// @param package_hashes Must contain ordered hashes of `relative_package_files`
/// @param created_time SPDX creation time in YYYY-MM-DDThh:mm:ssZ format
/// @param document_namespace Universally unique URI representing this SPDX document. See
/// https://spdx.github.io/spdx-spec/document-creation-information/#65-spdx-document-namespace-field
Expand All @@ -30,6 +32,8 @@ namespace vcpkg
std::string create_spdx_sbom(const InstallPlanAction& action,
View<Path> relative_paths,
View<std::string> hashes,
View<Path> relative_package_files,
View<std::string> package_hashes,
std::string created_time,
std::string document_namespace,
std::vector<Json::Object>&& resource_docs);
Expand Down
134 changes: 66 additions & 68 deletions src/vcpkg-test/spdx.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -381,6 +381,8 @@ TEST_CASE ("spdx maximum serialization", "[spdx]")
create_spdx_sbom(ipa,
std::vector<Path>{"vcpkg.json", "portfile.cmake", "patches/patch1.diff"},
std::vector<std::string>{"vcpkg.json-hash", "portfile.cmake-hash", "patch1.diff-hash"},
std::vector<Path>{"include/zlib.h", "lib/zlib.lib"},
std::vector<std::string>{"zlib-header-hash", "zlib-lib-hash"},
"now",
"https://test-document-namespace",
{});
Expand Down Expand Up @@ -408,42 +410,32 @@ TEST_CASE ("spdx maximum serialization", "[spdx]")
{
"spdxElementId": "SPDXRef-port",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-file-0"
"relatedSpdxElement": "SPDXRef-port-file-0"
},
{
"spdxElementId": "SPDXRef-port-file-0",
"relationshipType": "DEPENDENCY_MANIFEST_OF",
"relatedSpdxElement": "SPDXRef-port"
},
{
"spdxElementId": "SPDXRef-port",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-file-1"
"relatedSpdxElement": "SPDXRef-port-file-1"
},
{
"spdxElementId": "SPDXRef-port",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-file-2"
"relatedSpdxElement": "SPDXRef-port-file-2"
},
{
"spdxElementId": "SPDXRef-binary",
"relationshipType": "GENERATED_FROM",
"relatedSpdxElement": "SPDXRef-port"
},
{
"spdxElementId": "SPDXRef-file-0",
"relationshipType": "CONTAINED_BY",
"relatedSpdxElement": "SPDXRef-port"
},
{
"spdxElementId": "SPDXRef-file-0",
"relationshipType": "DEPENDENCY_MANIFEST_OF",
"relatedSpdxElement": "SPDXRef-port"
},
{
"spdxElementId": "SPDXRef-file-1",
"relationshipType": "CONTAINED_BY",
"relatedSpdxElement": "SPDXRef-port"
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-binary-file-0"
},
{
"spdxElementId": "SPDXRef-file-2",
"relationshipType": "CONTAINED_BY",
"relatedSpdxElement": "SPDXRef-port"
"spdxElementId": "SPDXRef-binary",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-binary-file-1"
}
],
"packages": [
Expand Down Expand Up @@ -474,7 +466,7 @@ TEST_CASE ("spdx maximum serialization", "[spdx]")
"files": [
{
"fileName": "./vcpkg.json",
"SPDXID": "SPDXRef-file-0",
"SPDXID": "SPDXRef-port-file-0",
"checksums": [
{
"algorithm": "SHA256",
Expand All @@ -486,7 +478,7 @@ TEST_CASE ("spdx maximum serialization", "[spdx]")
},
{
"fileName": "./portfile.cmake",
"SPDXID": "SPDXRef-file-1",
"SPDXID": "SPDXRef-port-file-1",
"checksums": [
{
"algorithm": "SHA256",
Expand All @@ -498,7 +490,7 @@ TEST_CASE ("spdx maximum serialization", "[spdx]")
},
{
"fileName": "./patches/patch1.diff",
"SPDXID": "SPDXRef-file-2",
"SPDXID": "SPDXRef-port-file-2",
"checksums": [
{
"algorithm": "SHA256",
Expand All @@ -507,6 +499,30 @@ TEST_CASE ("spdx maximum serialization", "[spdx]")
],
"licenseConcluded": "NOASSERTION",
"copyrightText": "NOASSERTION"
},
{
"fileName": "./include/zlib.h",
"SPDXID": "SPDXRef-binary-file-0",
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "zlib-header-hash"
}
],
"licenseConcluded": "NOASSERTION",
"copyrightText": "NOASSERTION"
},
{
"fileName": "./lib/zlib.lib",
"SPDXID": "SPDXRef-binary-file-1",
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "zlib-lib-hash"
}
],
"licenseConcluded": "NOASSERTION",
"copyrightText": "NOASSERTION"
}
]
})json";
Expand Down Expand Up @@ -537,6 +553,8 @@ TEST_CASE ("spdx minimum serialization", "[spdx]")
const auto sbom = create_spdx_sbom(ipa,
std::vector<Path>{"vcpkg.json", "portfile.cmake"},
std::vector<std::string>{"hash-vcpkg.json", "hash-portfile.cmake"},
{},
{},
"now+1",
"https://test-document-namespace-2",
{});
Expand Down Expand Up @@ -564,32 +582,17 @@ TEST_CASE ("spdx minimum serialization", "[spdx]")
{
"spdxElementId": "SPDXRef-port",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-file-0"
},
{
"spdxElementId": "SPDXRef-port",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-file-1"
},
{
"spdxElementId": "SPDXRef-binary",
"relationshipType": "GENERATED_FROM",
"relatedSpdxElement": "SPDXRef-port"
"relatedSpdxElement": "SPDXRef-port-file-0"
},
{
"spdxElementId": "SPDXRef-file-0",
"relationshipType": "CONTAINED_BY",
"relatedSpdxElement": "SPDXRef-port"
},
{
"spdxElementId": "SPDXRef-file-0",
"spdxElementId": "SPDXRef-port-file-0",
"relationshipType": "DEPENDENCY_MANIFEST_OF",
"relatedSpdxElement": "SPDXRef-port"
},
{
"spdxElementId": "SPDXRef-file-1",
"relationshipType": "CONTAINED_BY",
"relatedSpdxElement": "SPDXRef-port"
"spdxElementId": "SPDXRef-port",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-port-file-1"
}
],
"packages": [
Expand Down Expand Up @@ -617,7 +620,7 @@ TEST_CASE ("spdx minimum serialization", "[spdx]")
"files": [
{
"fileName": "./vcpkg.json",
"SPDXID": "SPDXRef-file-0",
"SPDXID": "SPDXRef-port-file-0",
"checksums": [
{
"algorithm": "SHA256",
Expand All @@ -629,7 +632,7 @@ TEST_CASE ("spdx minimum serialization", "[spdx]")
},
{
"fileName": "./portfile.cmake",
"SPDXID": "SPDXRef-file-1",
"SPDXID": "SPDXRef-port-file-1",
"checksums": [
{
"algorithm": "SHA256",
Expand Down Expand Up @@ -681,7 +684,7 @@ TEST_CASE ("spdx concat resources", "[spdx]")
.value(VCPKG_LINE_INFO)
.value.object(VCPKG_LINE_INFO);

const auto sbom = create_spdx_sbom(ipa, {}, {}, "now+1", "ns", {std::move(doc1), std::move(doc2)});
const auto sbom = create_spdx_sbom(ipa, {}, {}, {}, {}, "now+1", "ns", {std::move(doc1), std::move(doc2)});

auto expected = Json::parse(R"json(
{
Expand All @@ -703,11 +706,6 @@ TEST_CASE ("spdx concat resources", "[spdx]")
"relationshipType": "GENERATES",
"relatedSpdxElement": "SPDXRef-binary"
},
{
"spdxElementId": "SPDXRef-binary",
"relationshipType": "GENERATED_FROM",
"relatedSpdxElement": "SPDXRef-port"
},
"r1",
"r2",
"r3"
Expand Down Expand Up @@ -810,7 +808,7 @@ TEST_CASE ("spdx license parse edge cases", "[spdx]")
"files": [
{
"fileName": "./vcpkg.json",
"SPDXID": "SPDXRef-file-0",
"SPDXID": "SPDXRef-port-file-0",
"checksums": [
{
"algorithm": "SHA256",
Expand All @@ -822,7 +820,7 @@ TEST_CASE ("spdx license parse edge cases", "[spdx]")
},
{
"fileName": "./portfile.cmake",
"SPDXID": "SPDXRef-file-1",
"SPDXID": "SPDXRef-port-file-1",
"checksums": [
{
"algorithm": "SHA256",
Expand Down Expand Up @@ -892,7 +890,7 @@ TEST_CASE ("spdx license parse edge cases", "[spdx]")
"files": [
{
"fileName": "./vcpkg.json",
"SPDXID": "SPDXRef-file-0",
"SPDXID": "SPDXRef-port-file-0",
"checksums": [
{
"algorithm": "SHA256",
Expand All @@ -904,7 +902,7 @@ TEST_CASE ("spdx license parse edge cases", "[spdx]")
},
{
"fileName": "./portfile.cmake",
"SPDXID": "SPDXRef-file-1",
"SPDXID": "SPDXRef-port-file-1",
"checksums": [
{
"algorithm": "SHA256",
Expand Down Expand Up @@ -974,7 +972,7 @@ TEST_CASE ("spdx license parse edge cases", "[spdx]")
"files": [
{
"fileName": "./vcpkg.json",
"SPDXID": "SPDXRef-file-0",
"SPDXID": "SPDXRef-port-file-0",
"checksums": [
{
"algorithm": "SHA256",
Expand All @@ -986,7 +984,7 @@ TEST_CASE ("spdx license parse edge cases", "[spdx]")
},
{
"fileName": "./portfile.cmake",
"SPDXID": "SPDXRef-file-1",
"SPDXID": "SPDXRef-port-file-1",
"checksums": [
{
"algorithm": "SHA256",
Expand Down Expand Up @@ -1056,7 +1054,7 @@ TEST_CASE ("spdx license parse edge cases", "[spdx]")
"files": [
{
"fileName": "./vcpkg.json",
"SPDXID": "SPDXRef-file-0",
"SPDXID": "SPDXRef-port-file-0",
"checksums": [
{
"algorithm": "SHA256",
Expand All @@ -1068,7 +1066,7 @@ TEST_CASE ("spdx license parse edge cases", "[spdx]")
},
{
"fileName": "./portfile.cmake",
"SPDXID": "SPDXRef-file-1",
"SPDXID": "SPDXRef-port-file-1",
"checksums": [
{
"algorithm": "SHA256",
Expand Down Expand Up @@ -1147,7 +1145,7 @@ TEST_CASE ("spdx license parse edge cases", "[spdx]")
"files": [
{
"fileName": "./vcpkg.json",
"SPDXID": "SPDXRef-file-0",
"SPDXID": "SPDXRef-port-file-0",
"checksums": [
{
"algorithm": "SHA256",
Expand All @@ -1159,7 +1157,7 @@ TEST_CASE ("spdx license parse edge cases", "[spdx]")
},
{
"fileName": "./portfile.cmake",
"SPDXID": "SPDXRef-file-1",
"SPDXID": "SPDXRef-port-file-1",
"checksums": [
{
"algorithm": "SHA256",
Expand Down Expand Up @@ -1240,7 +1238,7 @@ TEST_CASE ("spdx license parse edge cases", "[spdx]")
"files": [
{
"fileName": "./vcpkg.json",
"SPDXID": "SPDXRef-file-0",
"SPDXID": "SPDXRef-port-file-0",
"checksums": [
{
"algorithm": "SHA256",
Expand All @@ -1252,7 +1250,7 @@ TEST_CASE ("spdx license parse edge cases", "[spdx]")
},
{
"fileName": "./portfile.cmake",
"SPDXID": "SPDXRef-file-1",
"SPDXID": "SPDXRef-port-file-1",
"checksums": [
{
"algorithm": "SHA256",
Expand Down Expand Up @@ -1343,7 +1341,7 @@ TEST_CASE ("spdx license parse edge cases", "[spdx]")
"files": [
{
"fileName": "./vcpkg.json",
"SPDXID": "SPDXRef-file-0",
"SPDXID": "SPDXRef-port-file-0",
"checksums": [
{
"algorithm": "SHA256",
Expand All @@ -1355,7 +1353,7 @@ TEST_CASE ("spdx license parse edge cases", "[spdx]")
},
{
"fileName": "./portfile.cmake",
"SPDXID": "SPDXRef-file-1",
"SPDXID": "SPDXRef-port-file-1",
"checksums": [
{
"algorithm": "SHA256",
Expand Down
Loading
Loading