cargo-auditable icon indicating copy to clipboard operation
cargo-auditable copied to clipboard
verified publisher icon rust-secure-code

Enhancement: Use SBOM generated by Cargo

Open SDAChess opened this issue 11 months ago • 6 comments

Hello,

With the merge of the Cargo SBOM into Cargo Nightly (https://github.com/rust-lang/cargo/commit/7ea222d21d43916635783130e78b925ddc03aaa2), it would be a valuable addition to the cargo-auditable code to ingest the dependencies from the generated SBOM.

It would probably solve a lot of common issues related to cargo metadata command.

I think cargo-auditable is still very relevant in generating the SBOMs from tools like syft when using containers that have their own dependencies and would love to see this work in cargo-auditable.

let me know if there is anything I could do to help this effort, if you need help with contributions especially.

SDAChess avatar Mar 18 '25 11:03 SDAChess

I think the Cargo SBOM is produced after compiling a crate, while cargo-auditable needs to know it before compiling the crate to be able to inject an object file with the sbom when linking.

bjorn3 avatar Mar 18 '25 11:03 bjorn3

Yes, this is absolutely on my radar, both for cargo-auditable and cargo-cyclonedx. It would indeed work around all the issues with cargo-metadata.

I am currently seeking funding to be able to work full-time on cargo-auditable and cargo-cyclonedx for a while, specifically to implement this. But I'd be happy to accept a pull request that implements this as well.

Shnatsel avatar Mar 18 '25 16:03 Shnatsel

Regarding the time when the SBOM is written:

I specifically called out in the RFC for this functionality that the SBOM has to be written before the crate is actually compiled to be usable to cargo-auditable. I've checked just now, and the SBOM does seem to be generated before the crate is compiled.

Here's a quick Linux-only test to prove that the native SBOM is usable for cargo-auditable:

Name this wrapper.sh and put it in your home directory:

#!/bin/sh

env > "$HOME"/env.dump
cp "$CARGO_SBOM_PATH" "$HOME"
"$@"

And run this on your Cargo project: cargo clean; RUSTC_WORKSPACE_WRAPPER="$HOME"/wrapper.sh CARGO_BUILD_SBOM=true cargo +nightly build -Z sbom

If it all worked, you will see env.dump and a SBOM JSON file in your home directory.

The script ignores multi-target crates for simplicity, so best run this on a "hello world".

Shnatsel avatar Mar 18 '25 16:03 Shnatsel

I am currently seeking funding to be able to work full-time on cargo-auditable and cargo-cyclonedx for a while, specifically to implement this. But I'd be happy to accept a pull request that implements this as well.

Will ask around if funding is available for such a project from our company.

I specifically called out in the https://github.com/rust-lang/rfcs/pull/3553 that the SBOM has to be written before the crate is actually compiled to be usable to cargo-auditable. I've checked just now, and the SBOM does seem to be generated before the crate is compiled.

Good to know! Will try and see if that works

SDAChess avatar Mar 18 '25 16:03 SDAChess

That might not be needed, if we're lucky. I've already found an entity that is quite enthusiastic about funding this work. We'll see if it converts into actual funding. Once it's clear if this works out or falls through, I'll let you know.

Shnatsel avatar Mar 18 '25 16:03 Shnatsel

Please let me know if there are issues using Cargo's SBOM support in cargo-auditable.

Having more projects (especially OSS projects) using the feature gets us closer to stabilization in Cargo.

arlosi avatar Apr 17 '25 16:04 arlosi