cargo
cargo copied to clipboard
rust-lang
feat: implement RFC 3553 to add SBOM support
What does this PR try to resolve?
This PR is an implementation of RFC 3553 to add support to generate pre-cursor SBOM files for compiled artifacts in Cargo.
How should we test and review this PR?
The RFC 3553 adds a new option to Cargo to emit SBOM pre-cursor files. A project can be configured either by the new Cargo config field sbom.
# .cargo/config.toml
[build]
sbom = true
or using the environment variable CARGO_BUILD_SBOM=true. The sbom option is an unstable feature and requires the -Zsbom flag to enable it.
Check out this branch & compile Cargo. Pick a Cargo project to test it on, then run:
CARGO_BUILD_SBOM=true <path/to/compiled/cargo>/target/debug/cargo build -Zsbom
All generated *.cargo-sbom.json files are located in the target folder alongside their artifacts. To list all generated files use:
find ./target -name "*.cargo-sbom.json"
then check their content. To see the current output format, see these examples.
What does the PR not solve?
The PR leaves a task(s) open that are either out of scope or should be done in a follow-up PRs.
- does not address #6313 (see comment)
Additional information
There are a few things that I would like to get feedback on, in particular the generated JSON format is not final. Currently it holds the information listed in the RFC 3553, but it could be further enriched with information only available during builds.
During the implementation a number of questions arose.
- Is using the
UnitGraphthe right structure to determine all dependencies? - Is the location in the
compilemethod to generate the SBOM files appropriate? - Is there important information missing from the generated output, some fields that should be omitted?
- How best to check JSON output in the related tests in
testsuite, are useful tests missing? - Are custom build script dependencies correctly resolved?
Thanks @arlosi, @RobJellinghaus and @lfrancke for initial guidance & feedback.
- RFC: #rust-lang/rfcs/pull/3553
- SBOM output examples (
serde_json&axum-corecrates)
Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @ehuss (or someone else) some time within the next two weeks.
Please see the contribution instructions for more information. Namely, in order to ensure the minimum review times lag, PR authors and assigned reviewers should ensure that the review label (S-waiting-on-review and S-waiting-on-author) stays updated, invoking these commands when appropriate:
@rustbot author: the review is finished, PR author should check the comments and take action accordingly@rustbot review: the author is ready for a review, this PR will be queued again in the reviewer's queue
Much respect for your contribution.
From my kind reminders, it seems appropriate to modify the documentation of the corresponding sections, e.g. Configuration, Environment Variables.
Thanks for the reminder, @heisen-li. Would love to see a doc update, though we should probably focus on the design discussion first, as the location of the configuration is not yet decided. (See https://github.com/rust-lang/rfcs/pull/3553#discussion_r1442335016).
One approach for the docs (if this is looking to be merged) is to put the env and config documentation fragments in the Unstable docs.
:umbrella: The latest upstream changes (presumably #13571) made this pull request unmergeable. Please resolve the merge conflicts.
:umbrella: The latest upstream changes (presumably #13992) made this pull request unmergeable. Please resolve the merge conflicts.
:umbrella: The latest upstream changes (presumably #13900) made this pull request unmergeable. Please resolve the merge conflicts.
:umbrella: The latest upstream changes (presumably #13947) made this pull request unmergeable. Please resolve the merge conflicts.