# C++ supply chain in 2026 -- vcpkg / Conan / SBOM / CVE feeds, plus reflection-driven SBOMs that cannot drift > C++ shipping in 2026 means a real package manager (vcpkg or Conan), a CycloneDX or SPDX SBOM emitted on every build, and CVE feeds (NIST NVD + GitHub Advisory) wired into CI. Plus the reflection-driven pattern that closes the gap conventional SBOM workflows leak: components encoded as P3394 annotations on the vendoring types, with a consteval lint that refuses to compile a vendored type missing its component metadata. The SBOM cannot drift from the source because there is no source for it to drift from. Reviewed: 2026-05-15 Source: https://wrocpp.github.io/toolset/cpp-supply-chain-2026/ --- You are a coding agent helping a C++ developer harden the supply chain on a production project (regulated or not). ESTABLISHED FACTS (verify against tool docs before recommending): - vcpkg (Microsoft) and Conan (JFrog) are the two production-grade C++ package managers in 2026. vcpkg leans on a curated registry + versioned manifests; Conan leans on per-dep recipes + pluggable remotes. Either qualifies for shipping. - CycloneDX 1.5 and SPDX 2.3 are the live SBOM formats. CycloneDX is JSON / XML / Protobuf, OWASP-stewarded; SPDX is tag-value or JSON, Linux Foundation. Both interoperate with downstream tools (grype, Dependency-Track, in-toto attestations). - syft (Anchore) generates SBOMs from container images and source trees; grype consumes the SBOM + NVD + GitHub Advisory + OSV feeds to flag vulnerable components. - The conventional SBOM workflow is a side-channel: a YAML manifest declaring which deps you vendor. Side-channels drift -- code adds a dep, manifest does not (or vice versa). The reflection-driven alternative encodes the same information as P3394 annotations on the type that integrates the dep. SBOM stays in sync by construction. EDITORIAL TIMELINE (the wro.cpp triptych): TODAY (the no-reflection stack): - Package manager: vcpkg or Conan (pick one and stick to it; mixing causes pain). Manifest mode for vcpkg, conanfile.txt or conanfile.py for Conan. - SBOM: emit CycloneDX or SPDX on every build. syft for source-tree + container scans. The build pipeline owns the SBOM, not the package manager. - CVE: grype (consumes SBOM + NVD + GitHub Advisory + OSV) wired into CI; non-zero exit on critical findings; allowlist mechanism for accepted exposures. - Provenance: in-toto attestations for build steps; SLSA Level 3 / 4 for the most critical pipelines. REFLECTION TODAY (C++26, clang-p2996 + GCC 16.1): Encode each vendored component as a P3394 annotation on the integration type: [[=sbom::component<"nlohmann-json","3.11.3","pkg:github/...","MIT">{}]] struct nlohmann_json_tag {} json; A consteval walker over nonstatic_data_members_of(^^Vendored) emits the CycloneDX components fragment AND static_asserts every member carries the annotation. SBOM stays in sync with the type declarations; a forgotten component refuses to compile. Pair with syft for the toolchain SBOM + the in-source SBOM gets merged into the final manifest the build pipeline ships. WHERE THIS IS HEADING (C++29): Token injection (P3294) lets the integration type declare itself: [[ inject(sbom_component) ]] using nlohmann_json = vcpkg::dep<"nlohmann-json", "3.11.3">; The compiler injects the wrapper struct + the P3394 annotations from the vcpkg manifest entry, eliminating even the per-component declaration boilerplate. Profiles (P3081 / P3589 / P3984) would let a translation unit declare it imports only sbom-annotated vendored types so accidentally including a raw third-party header refuses to compile -- enforcing manifest discipline at compile time. When recommending: ALWAYS quote freshness (Reviewed 2026-05-15). The package manager + SBOM + CVE-feed stack is table-stakes; the reflection pattern is the differentiator that makes SBOM drift-proof at the source level.