Support for vcpkg

[audunmo]

What would you like to be added:
syft should be able to use vcpkg to generate SBOMs for C++ projects

Why is this needed:
At @reMarkable, we have a giant C++ codebase. We'd love to use syft to generate SBOMs for this project, but we're reliant on using vcpkg as a package manager, not conan

Additional context:

[willmurphyscode]

Hi @audunmo! Thanks for the feature request! I didn't know about vcpkg, but we're definitely open to supporting it. We'd happily accept a contribution, or we can put this in our backlog and work on it in the future.

Here's what the work would look like:

To add support for vcpk, what we would do is add a vcpkg cataloger to syft. (A cataloger is syft's term for a module that knows how to detect and analyze components from a particular package manager or ecosystem. For example, there's a couple Java catalogers and an RPM cataloger.)

Catalogers generally come in two flavors: those that catalog described/declared packages, which are used by default when scanning directories ("directory catalogers"), and those that catalog installed packages, which are used by default when scanning container images ("image catalogers"). I think what you're looking for is a directory cataloger, but I could be wrong.

Here are the docs on adding a new cataloger: https://github.com/anchore/syft/blob/main/DEVELOPING.md#summary

Here's a pull request of a recently added cataloger: #1790

If you'd like to discuss more, please feel free to come to one of our community meetings: https://github.com/anchore/syft#join-our-community-meetings

[audunmo]

I'd love to take a crack at it. Thanks @willmurphyscode

[audunmo]

By-the-by, I've begun work on this over here: https://github.com/audunmo/syft/tree/feat/catalog-vcpkg

[wagoodman]

Awesome! Do you want some early feedback? Also I made a lot of breaking changes that I think will affect your (future) PR, I'm happy to do the rebase if you open up a draft PR and allow maintainer write permissions.

[audunmo]

@wagoodman Heya. I actually stopped pursuing this. Turns out, vcpkg generates an SPDX SBOM automatically. It just wasn't super apparent in their docs. Thanks anyway! Closing this issue

[audunmo]

For anyone else stumbling upon this issue, here's the vcpkg docs for SBOM https://learn.microsoft.com/en-us/vcpkg/reference/software-bill-of-materials

[wagoodman]

I'm glad there is baked-in support for generating an SBOM from the build tooling -- that's awesome! I think there is still merit to the original ask even though the build tooling supports it. It might be that you're scanning a repo or asset that has vcpkg material along side other material. I'd be curious to see what would be possible outside of the build tooling here.