Skip to content

Framstag/mesonsbom

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.github/workflows
.github/workflows
 
 
openspec
openspec
 
 
scripts
scripts
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
AGENTS.md
AGENTS.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
meson.build
meson.build
 
 
mise.toml
mise.toml
 
 

Repository files navigation

mesonsbom

Disclaimer: This is a personal project. mesonsbom is not part of the official Meson project. I, the developer, am not affiliated with or a member of the Meson project. This tool is provided as-is for convenience.

Purpose

The mesonsbom tool generates a CycloneDX 1.6 SBOM in JSON format by reading Meson introspection JSON files from a specified build directory. It helps with supply‑chain security and compliance by providing a full list of direct dependencies.

Required Build Dependencies

  • nlohmann_json – header‑only JSON parser (used for parsing Meson introspection files).
  • cxxopts – command‑line option parser.
  • catch2 – unit testing framework (used for integration tests).
  • pkgconf – pkg-config implementation (used for resolving system library dependencies).

Build Instructions

# Configure the build directory
meson setup build

# Compile the project
ninja -C build

Optional flags can be passed to meson setup (e.g., -Ddebug=true). To clean the build directory:

ninja -C build clean

Usage

Basic SBOM generation (full project)

# Generate an SBOM for the entire project in the current directory
./build/mesonsbom --build-dir <path-to-meson-build>

# Specify a custom output file
./build/mesonsbom --build-dir <path-to-meson-build> --output my-sbom.json

The command reads meson-info/intro-projectinfo.json and meson-info/intro-dependencies.json from the specified build directory and writes a valid CycloneDX 1.6 SBOM to sbom.json (or the specified output path).

Target-specific SBOM

# Generate an SBOM for a single build target (e.g., a specific executable or library)
./build/mesonsbom --build-dir <path-to-meson-build> --target my_executable

# Combine with custom output
./build/mesonsbom --build-dir <path-to-meson-build> --target my_library --output target-sbom.json

The --target option filters the SBOM to only include the specified target and its direct dependencies. Useful when you need a focused SBOM for a specific output artifact.

Other options

# Print version information
./build/mesonsbom --version

# Show help and exit
./build/mesonsbom --help

Verification

# Verify the SBOM was created
test -f sbom.json && echo "SBOM generated successfully"

FAQ

Q: What if the meson-info directory is missing?
A: Ensure you run meson introspect or configure the project with Meson; the introspection files are generated in meson-info during the build.

Q: How do I update the README when new dependencies are added?
A: Edit the Required Build Dependencies section to include the new libraries and re‑commit the changes.

AI Acknowledgement

This project was created with assistance from AI tools:

  • pi-agent – coding agent framework driving the development loop.
  • OpenSpec – structured change workflow (proposal, design, specs, tasks).
  • DeepSeek V4 (deepseek-v4-flash) via OpenRouter – language model used for code generation and reasoning.

License

Copyright © 2026 Tim Teulings

This project is licensed under the GNU General Public License v3.0 or later — see the LICENSE file for details.

SPDX-License-Identifier: GPL-3.0-or-later

About

mesonsbom is a simple CLI tool that generates a CycloneDX SBOM from a meson build directory

Topics

mesonbuild sbom sbom-generator

Resources

Readme

License

GPL-3.0 license
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 2

v1.2.0 Latest
May 10, 2026
+ 1 release

Packages

 
 
 

Contributors

Languages