Automated Software Composition Analysis (SCA) tools are unreliable in C/C++, embedded, legacy, and hybrid codebases. They produce false positives, miss vendored and patched components, and have no story for per-build-variant SBOMs.

For these projects, the practical workflow is for developers to curate component metadata by hand and generate a compliant SBOM from it deterministically, reproducibly, and at per-artifact granularity. We have seen this pattern at many organizations, we wanted to create some basic standardizations to help capture the intent.

https://github.com/interlynk-io/bomtique

If you are working in non-manifest based languages and have CRA regulations requiring you to create SBOM, give it a shot and let us know if this helps.

An overview of how it can be used

https://github.com/interlynk-io/bomtique/blob/main/docs/getting-started.md

If you use AI coding agents, use the prompt below to get started.

https://github.com/interlynk-io/bomtique/blob/main/prompts/agent-onboarding.md

yep this should be useful for non-manifest languages how does it actually work. tried bomtique on my toy C project it went pretty well. Does this work on something more complex like a dpdk app.