rust-secure-code
Use cargo-auditable with cross?
I've used it with cargo build --target=something-other-than-native-target and it worked fine. I haven't tried it with cross specifically. Try it and let me know if it works!
FWIW sccache required some fixes to work with cargo auditable. If cross doesn't Just Work, I'm happy to accept fixes for supporting cross or to help investigate why it fails.
Running cross with cargo-auditable gives me subcommand not found error:
❯ cargo auditable cross b --release
error: no such subcommand: `cross`
View all installed commands with `cargo --list`
While running cross b --release directly works as intended.
Yeah, that doesn't work because you're calling it cross not cargo cross.
Hmm. I think the best way forward is to file an issue on the cross issue tracker about potentially supporting cargo auditable. Basically a call to cargo auditable sets RUSTC_WORKSPACE_WRAPPER to itself, and saves the arguments it received into an environment variable so that the wrapper then recovers it. That's basically it as far as integration is concerned.
It's also possible to use cargo auditable as a drop-in replacement for cargo, that might come in handy.
Yeah, that doesn't work because you're calling it cross not cargo cross.
It seems that cargo-cross does not exist and the cross crate only provides binary cross.
We've identified 2 ways to do today in the linked Cross issue:
- Use a custom docker image which overrides
cargowithcargo auditable - Use a pre-build hook to install
cargo auditable
Additionally support for Cargo subcommands is in the works in cross, which should make it even easier.
I'm going to go ahead and close this since using with cross is possible, but feel free to reopen if there's more to discuss.
We've identified 2 ways [...]
I'm trying to do this, and I have used both custom Docker images and pre-build commands before to customize other behavior of cross, but here I am not getting far. I suspect both of these suggestions may be based on a misunderstanding of how cross works.
cross uses the host's cargo binary. The images cross uses do not actually contain a cargo binary. Adding a binary or script named cargo to the container, even in a bin directory, would not cause cross to use it. More broadly, cross does not ship a toolchain in its Docker images, nor will it use a toolchain that is added to them.
Edit: To clarify, the images contain C toolchains, but the Rust toolchain is that of the host, with any extra needed targets installed on the host via rustup. The host toolchain is mapped into the Docker container.
So for (1) I don't know what I am supposed to override, and for (2) I don't know how I would perform the installation or what difference it would make. (Regarding subcommand support in cross, unfortunately https://github.com/cross-rs/cross/issues/716 seems stalled.)
My motivation for asking is that, now that gitoxide can be built with cargo auditable (https://github.com/GitoxideLabs/gitoxide/pull/1929), I'd like to do that with cross if possible, with the idea of building all releases--most of which are built via cross--with cargo auditable.
If this can't be done, then per https://github.com/GitoxideLabs/gitoxide/discussions/1492#discussioncomment-10270462 I'll look into using cargo-zigbuild instead of cross. (Though it looks like that has its own problems, per https://github.com/rust-secure-code/cargo-auditable/issues/179.) However, in that case, it may be that this issue should be reopened.
Unfortunately cargo zigbuild fails also, for an unrelated reason: #179 But at least that could be a reasonable feature request for Zig; I simply didn't get around to submitting it yet.
You might be able to get it to work if you let cross copy over the host toolchain, but modify the container to have cargo auditable in it, and override the $PATH for commands run within the container to use it in place of Cargo, as per the drop-in replacement documentation. I'm not sufficiently familiar with Cross to tell if that's feasible.
If that's too much hassle, you can publish SBOMs as separate files instead of embedding them into the binaries, e.g. using cargo cyclonedx which is natively cross-platform, --target should just work.