Skip to content

[DNM]: SBOM (Software Bill of Materials) generation support #9577

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
echeng3805 wants to merge 27 commits into
base: main
Choose a base branch
from
Draft

[DNM]: SBOM (Software Bill of Materials) generation support #9577

echeng3805 wants to merge 27 commits into from

Conversation

@echeng3805
Copy link

@echeng3805 echeng3805 commented Jan 9, 2026
edited by bkhouri
Loading

This PR captures the current state of SBOM generation support in SwiftPM, so that @bkhouri and I can create a dev toolchain. We want to add the dev toolchain to some slides.

THIS PR IS NOT INTENDED FOR PRODUCTION

Summary of features:

  • New 'swift package generate-sbom' command for generating SBOMs
  • Integration with 'swift build' command via --sbom-spec flag
  • Support for CycloneDX 1.7 and SPDX 3.0.1 formats
  • Product-based and package-based SBOM generation
  • JSON schema validation for generated SBOMs

Requires: swiftlang/swift-installer-scripts#499

@bkhouri bkhouri mentioned this pull request Jan 9, 2026
Draft
@bkhouri bkhouri changed the title draft: create a Swift dev toolchain with SBOM (Software Bill of Materials) generation support [DNM]: create a Swift dev toolchain with SBOM (Software Bill of Materials) generation support Jan 9, 2026
@bkhouri
Copy link
Contributor

bkhouri commented Jan 9, 2026

@swift-ci test self hosted

@bkhouri
Copy link
Contributor

bkhouri commented Jan 9, 2026

@swift-ci test

@bkhouri
Copy link
Contributor

bkhouri commented Jan 9, 2026

@swift-ci test windows

@bkhouri
Copy link
Contributor

bkhouri commented Jan 9, 2026

The current Windows self hosted build is here: https://ci-external.swift.org/job/pr-swiftpm-windows-self-hosted/3382/

@bkhouri bkhouri changed the title [DNM]: create a Swift dev toolchain with SBOM (Software Bill of Materials) generation support [DNM]: SBOM (Software Bill of Materials) generation support Jan 12, 2026
@bkhouri
Copy link
Contributor

bkhouri commented Jan 12, 2026

@swift-ci test

@bkhouri
Copy link
Contributor

bkhouri commented Jan 12, 2026

@swift-ci test windows

@bkhouri
Copy link
Contributor

bkhouri commented Jan 12, 2026

@swift-ci test

@bkhouri
Copy link
Contributor

bkhouri commented Jan 12, 2026

@swift-ci test windows

@bkhouri
Copy link
Contributor

bkhouri commented Jan 12, 2026

@swift-ci test

1 similar comment
@bkhouri
Copy link
Contributor

bkhouri commented Jan 13, 2026

@swift-ci test

@bkhouri
Copy link
Contributor

bkhouri commented Jan 13, 2026

@swift-ci test windows

@bkhouri
Copy link
Contributor

bkhouri commented Jan 13, 2026

macOS self hosted failed to clone the repository. I'm retriggering all self hosted CI builds

@swift-ci test self hosted

@swiftlang swiftlang deleted a comment from echeng3805 Jan 13, 2026
@bkhouri
Copy link
Contributor

bkhouri commented Jan 13, 2026

@swift-ci test

@bkhouri
Copy link
Contributor

bkhouri commented Jan 13, 2026

Windows platform build was started against the previous comms. Re-triggering Windows builds

@swift-ci test windows

@bkhouri
Copy link
Contributor

bkhouri commented Jan 13, 2026

Windows platform build was started against the previous comms. Re-triggering Windows builds

@swift-ci test windows

@bkhouri
Copy link
Contributor

bkhouri commented Jan 14, 2026

@swift-ci test

@bkhouri
Copy link
Contributor

bkhouri commented Jan 14, 2026

Windows platform build was started against the previous comms. Re-triggering Windows builds

@swift-ci test windows

@bkhouri
Copy link
Contributor

bkhouri commented Jan 14, 2026

The Linux smoke tests failed due to an infrastructure issue. I'm retriggering

@swift-ci smoke test linux

@bkhouri
Copy link
Contributor

bkhouri commented Jan 14, 2026

@swift-ci test windows

@bkhouri
Copy link
Contributor

bkhouri commented Jan 14, 2026

@swift-ci test

@bkhouri
Copy link
Contributor

bkhouri commented Jan 14, 2026

The Windows platform test triggered against commit ID ab223c294e351419e0ef61623c888b9ed939858f, which is the commit before the latest pushed. I am re-triggering the Windows builds again

@swift-ci test windows

@bkhouri bkhouri mentioned this pull request Jan 14, 2026
Open
@shahmishal
Copy link
Member

shahmishal commented Jan 14, 2026

Please keep the trigger separate from other content.

@bkhouri
Copy link
Contributor

bkhouri commented Jan 14, 2026

@swift-ci test

@bkhouri
Copy link
Contributor

bkhouri commented Jan 14, 2026

@swift-ci test windows

@bkhouri
Copy link
Contributor

bkhouri commented Jan 24, 2026

@swift-ci test windows

1 similar comment
@bkhouri
Copy link
Contributor

bkhouri commented Jan 26, 2026

@swift-ci test windows

echeng3805 and others added 26 commits January 27, 2026 17:26
@echeng3805
feat: Add SBOM (Software Bill of Materials) generation support
da56909 
This commit adds comprehensive SBOM generation capabilities to Swift Package Manager, supporting both CycloneDX 1.7 and SPDX 3.0.1 specifications.

Key features:
- New 'swift package generate-sbom' command for generating SBOMs
- Integration with 'swift build' command via --sbom flag
- Support for CycloneDX 1.7 and SPDX 3.0.1 formats
- Product-based and package-based SBOM generation
- Dependency graph extraction and relationship tracking
- PURL (Package URL) generation for components
- JSON schema validation for generated SBOMs
- Comprehensive test coverage with fixtures

New modules:
- SBOMModel: Core SBOM data structures and conversion logic
- Validators for CycloneDX and SPDX formats
- Extractors for components, dependencies, and metadata
- Converters for both SBOM specifications

This implementation enables users to generate software bills of materials
for their Swift packages, improving supply chain security and compliance.
@echeng3805
fix: some tests?
2486b83
@bkhouri @echeng3805
possibly fix Cmake build
7db1b1d
@bkhouri @echeng3805
export some cmake "targets"
472d91d
@echeng3805
fix: bundle modifier for windows
8bd87e2
@echeng3805
fix: fix bundle error on windows?
6a797dd
@echeng3805
fix: update cmake?
5ce1b0e
@echeng3805
embed in code
aee220b
@echeng3805
Revert "embed in code"
4f491bd 
This reverts commit ab223c2.
@echeng3805
fix: skip validation if bundle isn't found
5831185
@echeng3805
fix: try to fix bundle usage
51fbb61
@echeng3805
fix: caching access
c2fc857
@echeng3805
comment out tests, remove allBundles
b5908ed
@echeng3805
fix: compilation error
f17ad34
@echeng3805
fix: use NSRegularExpression in SBOMValidator
3bdfa3d
@echeng3805
update windows cmake file
e54faa8
@echeng3805
remove StringProcessing from Cmake
462cb2d
@echeng3805
update CMakeLists.txt to have STATIC
08ab79a
@bkhouri @echeng3805
Update SBOMModel CmakeLists to remove build default library type, and…
d93ffb3 
… not to link in Foundation
@bkhouri @echeng3805
Update SBOMModel CmakeLists build static SBOMModel library
3d385f4
@echeng3805
update cmakelists
e13eece
@echeng3805
fix: remove SBOMModel exports
87a35a8
@bkhouri @echeng3805
Update CMakeLists.txt to remove modification to some SwiftPM_EXPORTS
80a762b
@bkhouri @echeng3805
Update SBOMModel Cmakelist to not install the target
fad0abc
@echeng3805
fix: replace colons with underscores in filename
d31a28b
@echeng3805
fix: build error
0a8fd3c
@echeng3805 echeng3805 force-pushed the echeng3805/sbom-squashed branch from b471fc3 to 0a8fd3c Compare January 28, 2026 01:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jakepetroules jakepetroules Awaiting requested review from jakepetroules jakepetroules will be requested when the pull request is marked ready for review jakepetroules is a code owner

@dschaefer2 dschaefer2 Awaiting requested review from dschaefer2 dschaefer2 will be requested when the pull request is marked ready for review dschaefer2 is a code owner

@bripeticca bripeticca Awaiting requested review from bripeticca bripeticca will be requested when the pull request is marked ready for review bripeticca is a code owner

@plemarquand plemarquand Awaiting requested review from plemarquand plemarquand will be requested when the pull request is marked ready for review plemarquand is a code owner

@owenv owenv Awaiting requested review from owenv owenv will be requested when the pull request is marked ready for review owenv is a code owner

@bkhouri bkhouri Awaiting requested review from bkhouri bkhouri will be requested when the pull request is marked ready for review bkhouri is a code owner

@cmcgee1024 cmcgee1024 Awaiting requested review from cmcgee1024 cmcgee1024 will be requested when the pull request is marked ready for review cmcgee1024 is a code owner

@daveyc123 daveyc123 Awaiting requested review from daveyc123 daveyc123 will be requested when the pull request is marked ready for review daveyc123 is a code owner

@rconnell9 rconnell9 Awaiting requested review from rconnell9 rconnell9 will be requested when the pull request is marked ready for review rconnell9 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

pending evolution proposal

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@echeng3805 @bkhouri @shahmishal