Skip to content

Use cargo SBOM precursor files, if available #213

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Use cargo SBOM precursor files, if available #213

wants to merge 2 commits into from

Conversation

tofay
Copy link
Contributor

@tofay tofay commented Jun 19, 2025

If cargo sbom function is enabled, cargo-auditable will read the SBOM precursor file and use it to generate dependency information rather than trying to use the cargo metadata command.

Closes #192

Slightly interestingly, cargo didn't include build dependencies for the test fixtures unless I added a build.rs files.

@tofay
cargo sbom integration
3634e94 
If cargo sbom function is enabled, cargo-auditable will read the
SBOM precursor file and use it to generate dependency information
rather than trying to use the `cargo metadata` command.
@Shnatsel
Copy link
Member

Thanks a lot! I'll take a closer look in the next few days.

Slightly interestingly, cargo didn't include build dependencies for the test fixtures unless I added a build.rs files.

Looks like a bug in Cargo's SBOM support. I don't think we can actually ship with a bug like that.

@arlosi are you aware of this issue? Should we file a bug upstream against Cargo?

@tofay
Copy link
Contributor Author

tofay commented Jun 19, 2025
edited
Loading

Isn't that a case of cargo being more accurate than cargo metadata? Without a build.rs, a crate can have no build dependencies, regardless of what is declared in Cargo.toml.

@Shnatsel
Copy link
Member

Ah, you are probably right! I am a little rusty on the finer points of Cargo dependencies.

Shnatsel
Shnatsel reviewed Jun 19, 2025
View reviewed changes
Copy link
Member

@Shnatsel Shnatsel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've only done a cursory look so far - it's a really hot day, sorry 😅

By and large this looks great! I've noted some nits, and I'll take a closer look at the format transformation algorithm in the next few days.

Thanks again!

cargo-auditable/Cargo.toml
@@ -21,6 +21,7 @@ cargo_metadata = "0.18"
pico-args = { version = "0.5", features = ["eq-separator", "short-space-opt"] }
serde = "1.0.147"
wasm-gen = "0.1.4"
cargo-util-schemas = "0.8.1"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This pulls in a really sprawling dependency tree. If we're only using two structs from it anyway, I'd prefer to just copy-paste their definitions and avoid this massive dependency bloat.

cargo auditable is meant to be used by companies too, and I shudder at the thought of dragging all that through a security review.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I was going to ask about this, all 400 lines of cargo.lock additions are from this dep

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Most of the new dependencies result from cargo-util-schemas depending on url, which is necessary to parse the package id spec that is part of the SBOM precursor. So I suggest we just keep the dependency here?

Since cargo-util-schemas is a dependency of cargo, any company that is reviewing all its dependencies will already depend on some versions of the new deps via cargo anyway.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need to parse the package ID spec with the full generality of URLs?

Can we use either a stripped-down version of URL crate with all the fancy features disabled, or just rely on the crate names being ASCII without weird characters?

Also, if the package ID spec cannot be treated as mostly opaque and we need the full generality of the URL crate to actually parse it, that's an issue with the format that I'd like to get fixed before it's stabilized.

@Shnatsel
Copy link
Member

Okay, I think I found an actual bug in Cargo: if I run cargo +nightly build -Z sbom --release and then CARGO_BUILD_SBOM=true cargo +nightly build -Z sbom --release, the SBOM file will not be actually generated. It seems that whether the SBOM should be built or not is not part of the check for whether a rebuild is necessary or not.

@tofay
Copy link
Contributor Author

tofay commented Jun 22, 2025

Okay, I think I found an actual bug in Cargo: if I run cargo +nightly build -Z sbom --release and then CARGO_BUILD_SBOM=true cargo +nightly build -Z sbom --release, the SBOM file will not be actually generated. It seems that whether the SBOM should be built or not is not part of the check for whether a rebuild is necessary or not.

Raised at rust-lang/cargo#15695

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Shnatsel Shnatsel Shnatsel left review comments

@bjorn3 bjorn3 bjorn3 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enhancement: Use SBOM generated by Cargo
3 participants
@tofay @Shnatsel @bjorn3