sbom-rs icon indicating copy to clipboard operation
sbom-rs copied to clipboard
verified publisher icon psastras

Integrate improvements from `cargo cyclonedx`?

Open Shnatsel opened this issue 2 years ago • 3 comments

I have recently overhauled a similar tool, cargo cyclonedx. I think cargo sbom would benefit from some of the improvements I made there, specifically:

  • The ability to generate the SBOM for a specific platform with --target
  • The ability to select Cargo features via Cargo-compatible flags such as --no-default-features, --all-features, --features=.... Right now cargo sbom always records the dependency tree for all features.
  • Inclusion of the git and custom registry URLs into the PURL (there are qualifiers for it defined in the specification)
  • Record the binary targets of the toplevel package (e.g. fd-find package has the binary called fd, some packages have multiple binaries)

I am not familiar with the SPDX format so I am not sure if these items also apply there.

Would you be interested in integrating similar changes into cargo sbom? I could probably open pull requests for at least some of this.

Shnatsel avatar Nov 13 '23 23:11 Shnatsel

@Shnatsel sorry to miss this, yes, features has been something that's been on the back of my mind for a while. I'm happy if you want to propose changes, else if you can point me to the impl (i can probably browse around for it) I can probably find some time to incorporate.

psastras avatar Jul 11 '24 02:07 psastras

I am no longer paid to work on Rust SBOM tooling, so I cannot open PRs myself anymore. But I am happy to point you to the equivalent code in cargo cyclonedx or answer any questions about the implementation!

The --target and feature selection are the easiest to implement - all it takes is passing the right command-line flags to cargo metadata. That's a very small change: https://github.com/CycloneDX/cyclonedx-rust-cargo/blob/2911287b2520a7ddab1782b48c35112279b1be17/cargo-cyclonedx/src/main.rs#L131-L165 Or here are the PRs if you prefer to look at the diffs: https://github.com/CycloneDX/cyclonedx-rust-cargo/pull/512 https://github.com/CycloneDX/cyclonedx-rust-cargo/pull/513

The PURL construction is also very easy. It's just 85 lines, the rest is tests: https://github.com/CycloneDX/cyclonedx-rust-cargo/blob/2911287b2520a7ddab1782b48c35112279b1be17/cargo-cyclonedx/src/purl.rs#L1-L85 ~~plus a few lines for percent encoding: https://github.com/Shnatsel/cyclonedx-rust-cargo/blob/main/cargo-cyclonedx/src/urlencode.rs~~ custom encoding not needed if you use purl crate v0.1.3 or later, but needed if you're using the packageurl crate Or in diff form: https://github.com/CycloneDX/cyclonedx-rust-cargo/pull/523

Recording multiple binaries for a crate is not hard either: https://github.com/CycloneDX/cyclonedx-rust-cargo/pull/533 While this is more complete and correct than what cargo sbom does now, we've found that users find this confusing, and prefer to have a SBOM for each binary individually rather than for a whole crate. Emitting a separate SBOM for each binary and correctly handling all the edge cases was the only feature that required a fairly substantial refactoring: https://github.com/CycloneDX/cyclonedx-rust-cargo/pull/619 although I've later revamped the CLI in https://github.com/CycloneDX/cyclonedx-rust-cargo/pull/634

Another easy but highly desirable feature I didn't list in the initial post would be recording hashes in the SBOM: https://github.com/CycloneDX/cyclonedx-rust-cargo/pull/620 It only became possible recently, in Cargo 1.77

Shnatsel avatar Jul 11 '24 02:07 Shnatsel

@Shnatsel thanks!

im not paid to work on this either, hence the slow replies and work, will take a look!

psastras avatar Jul 16 '24 23:07 psastras