As the security risk in Software gets more apparent, lot of companies and governments mandate a “Software bill of materials” (SBOM) for projects delivered. Also it get more and more demanded that this bill is generated and not merely written down by the developers, to ensure up to date overview on the status of the components.
For JAVA and JS projects there are already scanners which server that need (e.g. BlackDuck) which generate the SPDX standard. In Unreal projects I’m not aware of a good solution. Since Unreal has its own very unique and powerful build system, one cannot know what’s end up in a Build, since it depends heavily on Plugin configuration. Plugin dependencies can be explicit or automatic (defaults) and the Plugins itself depends on other Plugins or FOSS libraries….
So I wonder if someone had the same problem and found a solution.
A possible solution would be to enable the Unreal Engine Build-System to output its dependency graph for a given project configuration (Shipping, Develop, with or without Editor).
The FOSS disclosure seems like a bureaucratic nightmare, but to be honest, most of the time we have not the slightest idea what software components we use and deliver! And when the next SolarWind or Log4J hits the fan, we would be grateful to have a SPDX file for our software!
Regards
Mercedes-Benz Tech Motion