cyclonedx-rust-cargo icon indicating copy to clipboard operation
cyclonedx-rust-cargo copied to clipboard
verified publisher icon CycloneDX

Support for -sys style crates

Open ctron opened this issue 2 years ago • 0 comments

Assuming one uses e.g. rdkafka, this pulls in rdkafka-sys, which actually contains librdkafka (a C library).

There are a bunch of dependencies, which follow a -sys style pattern, adding C code to the Rust build. Such crates can sometimes by linked dynamically (re-using a system library), but sometimes they bring their own library.

In the case that such crates bring their own compiled version, I would expect to see the dependency on the SBOM too.

However, building a Rust application with this crate (using --all) I am not aware of the fact that this contains the code of librdkafka too:

$ cat bom.xml | grep kafka
    <component type="library" bom-ref="pkg:cargo/[email protected]">
      <name>rdkafka</name>
      <description>Rust wrapper for librdkafka</description>
      <purl>pkg:cargo/[email protected]</purl>
          <url>https://github.com/fede1024/rust-rdkafka</url>
    <component type="library" bom-ref="pkg:cargo/[email protected]+1.9.2">
      <name>rdkafka-sys</name>
      <description>Native bindings to the librdkafka library</description>
      <purl>pkg:cargo/[email protected]+1.9.2</purl>
          <url>rdkafka</url>
          <url>https://github.com/fede1024/rust-rdkafka</url>

The rdkafka-sys dependecy looks like this:

    <component type="library" bom-ref="pkg:cargo/[email protected]+1.9.2">
      <name>rdkafka-sys</name>
      <version>4.3.0+1.9.2</version>
      <description>Native bindings to the librdkafka library</description>
      <scope>required</scope>
      <licenses>
        <expression>MIT</expression>
      </licenses>
      <purl>pkg:cargo/[email protected]+1.9.2</purl>
      <externalReferences>
        <reference type="other">
          <url>rdkafka</url>
        </reference>
        <reference type="vcs">
          <url>https://github.com/fede1024/rust-rdkafka</url>
        </reference>
      </externalReferences>
    </component>

It might be hard to provide an automatic way to discover this, so I think it might make sense to have the following two features:

  • Be able to attach additional (extra) dependencies to the SBOM. This would allow the developer to manually provide such information. If that would be stored in a file, alongside the crate, that could also be automatically generated.
  • Propagate such information in the dependency tree. Maybe this can be added as part of the metadata of a crate, so after resolving cargo dependencies, all extra-dependencies get added to the final result as well.

ctron avatar Jan 09 '23 16:01 ctron