Dear Members of the LLVM Community,
I’m Bharathi Seshadri and I work in the Compilers Group at Cisco on LLVM-related projects.
I am writing about a project to extend LLVM to support GitBOM (https://gitbom.dev). GitBOM is an open-source initiative (Community | GitBOM) to construct a verifiable Artifact Dependency Graph and enable automatic, verifiable artifact resolution. GitBOM has several potential applications in the software supply chain such as vulnerability management and is complementary to SBOM (software bill of materials). GitBOM can in fact help SBOMs to be more precise and reliable.
The Artifact Dependency Graph (ADG) of an artifact is the recursive DAG (Directed Acyclic Graph) of all the input artifacts that are transformed by a build tool into that artifact. It includes the direct input artifacts, and the recursive set of artifacts to each input artifact, all the way down to source code.
The overall GitBOM project is still at an early stage. I have prototyped the current GitBOM requirements in LLVM. The prototype llvm-gitbom (clang and lld) creates a GitBOM file for every compilation and link step under a new option. The GitBOM file contains the cryptographic hash of all the dependencies (such as header files, object files) during compilation and linking steps. The hash of the GitBOM document is then embedded in a .bom section in the ELF file.
We are looking to get feedback and more involvement from the broader LLVM community. Please let us know if you are interested in getting involved or learning more. We have weekly zoom meetings on the GitBOM project and it would be good to have more participation from the LLVM community in these meetings.