I’m attempting to test out the new experimental SBOM generation feature, and it seems I have statically linked libraries showing up as “shared” libraries in the generated SPDX. I know this feature is experimental, but before filing an issue I want to make sure that I’m not missing a flag in my configuration anywhere. The following is an attempt at a minimal CMake setup that exhibits this issue (it expects to be run on CMake 4.3.2) :
CMakeLists.txt:
cmake_minimum_required(VERSION 4.3.2)
project(sbom CXX)
set(CMAKE_CXX_STANDARD_REQUIRED ON)
set(CMAKE_CXX_STANDARD 23)
include(FetchContent)
FetchContent_Declare(fmt
GIT_REPOSITORY https://github.com/fmtlib/fmt.git
GIT_TAG 12.1.0)
FetchContent_MakeAvailable(fmt)
add_executable(sbom)
target_sources(sbom
PRIVATE
${PROJECT_SOURCE_DIR}/source/sbom-test/main.cpp)
target_link_libraries(sbom
PRIVATE
fmt::fmt)
set(CMAKE_EXPERIMENTAL_GENERATE_SBOM "ca494ed3-b261-4205-a01f-603c95e4cae0")
install(TARGETS sbom
EXPORT "sbom")
install(SBOM "sbom"
EXPORT "sbom"
LICENSE "MIT"
PROJECT "sbom"
DESCRIPTION "An example sbom")
CMakePresets.json:
{
"version": 2,
"cmakeMinimumRequired": {
"major": 4,
"minor": 3,
"patch": 2
},
"configurePresets": [
{
"displayName": "Debug",
"name": "debug",
"cacheVariables": {
"CMAKE_BUILD_TYPE": "Debug",
"CMAKE_EXPORT_COMPILE_COMMANDS": true
}
}
],
"buildPresets": [
{
"name": "debug",
"configurePreset": "debug"
}
]
}
source/sbom-test/main.cpp:
#include <fmt/base.h>
int main(int argc, const char** argv) {
fmt::print("Hi!");
return 0;
}
This ends up generating a binary that statically links to fmt as is expected by me:
$ ldd ./build/debug/sbom
linux-vdso.so.1 (0x00007ffffab18000)
libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x0000770ab5000000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x0000770ab532f000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x0000770ab5301000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x0000770ab4c00000)
/lib64/ld-linux-x86-64.so.2 (0x0000770ab5460000)
However, if you take a look at the generated SBOM, it will show fmtlib instead being linked in as a “shared” library:
{
"@context": "https://spdx.org/rdf/3.0.1/spdx-context.jsonld",
"@graph": [
{
"@id": "_:Build#CreationInfo",
"comment": "This SBOM was generated from the CMakeLists.txt File",
"created": "2026-05-09T18:44:25Z",
"createdBy": [
"https://gitlab.kitware.com/cmake/cmake"
],
"specVersion": "3.0.1",
"type": "CreationInfo"
},
{
"creationInfo": "_:Build#CreationInfo",
"dataLicense": "MIT",
"description": "An example sbom",
"element": [
{
"creationInfo": "_:Build#CreationInfo",
"name": "fmt",
"spdxId": "urn:fmt#Package",
"type": "software_Package"
}
],
"name": "sbom",
"profileConformance": [
"core",
"software"
],
"rootElement": [
{
"creationInfo": "_:Build#CreationInfo",
"name": "sbom",
"software_primaryPurpose": "application",
"spdxId": "urn:sbom#Package",
"type": "software_Package"
}
],
"spdxId": "urn:sbom#SPDXDocument",
"type": "SpdxDocument"
},
{
"creationInfo": "_:Build#CreationInfo",
"description": "Required Build-Time Libraries",
"from": "urn:sbom#Package",
"relationshipType": "dependsOn",
"spdxId": "urn:Shared#Relationship",
"to": [
"urn:fmt#Package"
],
"type": "Relationship"
}
]
}
Am I missing something here in my CMake, or is this an actual issue with the experimental SBOM feature?