Include language package manager (e.g. `cargo`, `npm`, go modules) information in SBOMs

[carlocab]

Verification

• This issue's title and/or description do not reference a single formula e.g. brew install wget. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.

Provide a detailed description of the proposed feature

The sbom.spdx.json contains dependency information for dependencies managed by brew. We should include dependency information for those not managed by brew as well.

What is the motivation for the feature?

More complete SBOMs. It will also improve our ability to track CVEs that affect formulae.

How will the feature be relevant to at least 90% of Homebrew users?

It probably won't be.

What alternatives to the feature have been considered?

• the status quo
• another mechanism for tracking non-Homebrew dependencies

[MikeMcQuaid]

Good idea, thanks @carlocab!

[SMillerDev]

@carlocab do you have an example of some data you would like to see included?

[cho-m]

Could be worth starting with something like npm which provides npm sbom and decide what parts of that should be included.

Cargo may be easier once RFC rust-lang/rfcs#3553 provides a similar feature. Some repositories use tools like cargo-auditable to put related information inside the binaries.

May need to see how large these can get since the dependency trees can be quite large.

---

Though, homebrew-pip-audit is using osv-scanner so a variation on previous PR for lock files (#14835) could be more useful if we want to build tooling around auditing our own formulae. osv-scanner supports Cargo.lock, Gemfile.lock, etc.

[carlocab]

@carlocab do you have an example of some data you would like to see included?

Not really, sorry! It's really more that our SBOMs already contain dependency information when those dependencies are on other formulae. Ideally the dependency information would be more complete by including non-formula dependencies too.

At minimum, I guess, we should include the names and versions of language package manager dependencies in the SBOMs.

[MikeMcQuaid]

Could be worth starting with something like npm which provides npm sbom and decide what parts of that should be included.

Agreed. Note: given all our SBOM reproducibility issues: this needs to be done at bottle pour time.

---

@carlocab thanks for clarifying!

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.