cyclonedx-rust-cargo icon indicating copy to clipboard operation
cyclonedx-rust-cargo copied to clipboard
verified publisher icon CycloneDX

Capture data only available during the build process

Open Shnatsel opened this issue 2 years ago • 3 comments

There is a certain amount of data that is only available during or after the actual build, such as a hash of the resulting binary, the RUSTFLAGS used (not just from the environment variable but also from the Cargo configuration), etc.

There are two ways to implement it:

  1. Hook into the build process, similar to how https://github.com/rust-secure-code/cargo-auditable works
  2. The hypothetical "build info" file that's being discussed by the Cargo team could be used to achieve this.

Shnatsel avatar Nov 02 '23 21:11 Shnatsel

cargo build -Z unstable-options --build-plan might also help. I have not investigated it in detail. It will be still missing the hash of the final binary, etc.

Shnatsel avatar Nov 03 '23 00:11 Shnatsel

There is a ticket to maybe delete build-plan support so I would not recommend relying on it.

In any case it is the plan on what will run not what did run. The idea of @epage @arlosi was to introduce a machine readable file ("build info") that records everything that actually was built (and how).

There is no tracking issue for this yet but I hope that we'll have something soon.

lfrancke avatar Nov 03 '23 08:11 lfrancke

The build-info pre-RFC can be found here: https://internals.rust-lang.org/t/pre-rfc-cargo-sbom/19842

Shnatsel avatar Nov 12 '23 22:11 Shnatsel