Hello all! I’m working on a Fortran project that does not use a package manager and am having difficulty identifying a tool or process that will allow us to automatically generate a Software Bill of Materials (SBOM) for our code, which is a mandated process. I am hoping the community may have some knowledge or experience with this that may help - does anyone have any suggestions on a tool or process for generating SBOMs for Fortran code? I don’t want to have to transition to using a package manager unless we absolutely have to, as we have very little time available to make non-feature updates to the code.
1 Like
Probably your best bet is to trace the build process and parse any log file produced by the build system (CMake, Meson, …). Then you can search for libraries linked (-L, -lXYZ), include directories -I and so forth. I’m not sure how you would deal with optional components.
In addition to the compiler itself and any statically linked libraries included in the build process, you could inspect the required shared libraries using ldd (Linux), otool (Mac):
~/fortran/complex$ otool -L a.out # MacOS
a.out:
/usr/local/opt/gcc/lib/gcc/current/libgfortran.5.dylib (compatibility version 6.0.0, current version 6.0.0)
/usr/local/opt/gcc/lib/gcc/current/libgcc_s.1.1.dylib (compatibility version 1.0.0, current version 1.1.0)
/usr/local/opt/gcc/lib/gcc/current/libquadmath.0.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1345.120.2)
An executable might also dynamically load other libraries (plugins). With some shell scripting you can trace this at runtime:
$ LD_DEBUG=libs ./my_executable 2>&1 | grep "calling init" | awk '{print $4}'
In case you have an fpm project, you could look at the dependencies. For instance for fpm, the manifest contains:
[dependencies]
toml-f.git = "https://github.com/toml-f/toml-f"
toml-f.rev = "d7b892b1d074b7cfc5d75c3e0eb36ebc1f7958c1"
M_CLI2.git = "https://github.com/urbanjost/M_CLI2.git"
M_CLI2.rev = "7264878cdb1baff7323cc48596d829ccfe7751b8"
fortran-regex.git = "https://github.com/perazz/fortran-regex"
fortran-regex.tag = "1.1.2"
jonquil.git = "https://github.com/toml-f/jonquil"
jonquil.rev = "4fbd4cf34d577c0fd25e32667ee9e41bf231ece8"
fortran-shlex.git = "https://github.com/perazz/fortran-shlex"
fortran-shlex.tag = "1.0.1"
The dependencies can have their own dependencies. There can also be dev-dependencies, needed for testing, but not required for installation. I’ve proposed to add a fpm dependency-list command here: Command to list dependencies · fortran-lang/fpm · Discussion #682 · GitHub, but it is still open AFAIK. Since fpm uses git behind the scenes, you would also need to expect any included git submodules to locate their origin.
In any case, the answer probably depends on what precisely your SBOM requires from you (e.g. CISA guidelines or something else).