Reviews are an important part of the Swift evolution process. All review feedback should be either on this forum thread or, if you would like to keep your feedback private, directly to me as the review manager by email or DM. When contacting the review manager directly, please put "SE-0509" in the subject line.
Trying it out
If you'd like to try this proposal out, you can download a toolchain supporting it:
The goal of the review process is to improve the proposal under review through constructive criticism and, eventually, determine the direction of Swift. When writing your review, here are some questions you might want to answer in your review:
What is your evaluation of the proposal?
Is the problem being addressed significant enough to warrant a change to Swift?
Does this proposal fit well with the feel and direction of Swift?
If you have used other languages or libraries with a similar feature, how do you feel that this proposal compares to those?
How much effort did you put into your review? A glance, a quick reading, or an in-depth study?
More information about the Swift evolution process is available at:
Big +1 from me - fills an increasingly important gap in the security story for Swift applications, supports industry standard schemes and integrates nicely
I had a thought about future functionality. Currently, SBOM authors don't have a guaranteed way of confirming what SBOMs were generated by SwiftPM other than using --sbom-output-dir and ensuring the provided directory is empty.
In "Future Features" section, can we add functionality that would have SwiftPM provide a structured data of the SBOMs it generated, possibly via a --sbom-output-format <mode> CLI option
e.g.: (this is a sample JSON output)
$ swift build --build-system swiftbuild --sbom-spec cyclonedx --sbom-spec spdx --sbom-output-format json
<...SNIP...>
{
"cyclonedx": [
{ "version": "1.7", "output": "<absolute/path/to/generated/CycloneDX/SBOM>" }
],
"spdx": [
{ "version": "3.0", "output": "<absolute/path/to/generated/SPDX/SBOM>" }
]
}
## Text based output produced the existing output
$ swift build --build-system swiftbuild --sbom-spec cyclonedx --sbom-spec spdx --sbom-output-format text
<...SNIP...>
<current text based output>
I think that augmentation would coordinate well with some kind of flag that can toggle the SwiftPM logs. For example, some languages are able to output all logs as JSON objects that can be decoded line by line programmatically. I can see external tools or monitoring services streaming/being streamed the SwiftPM build logs, parsing each JSON object until the SBOM paths JSON object is reached, then extracting the paths from the SBOM paths JSON object.
