A group of Rust projects for interacting with and producing software bill of materials (SBOMs).
In a shell:
$ cargo sbom
{
"SPDXID": "SPDXRef-DOCUMENT",
"creationInfo": {
"created": "2023-07-04T12:38:15.211Z",
"creators": [
"Tool: cargo-sbom-v0.9.1"
]
},
"dataLicense": "CC0-1.0",
"documentNamespace": "https://docs.rs/cargo_sbom/spdxdocs/cargo-sbom-0.9.1-9cae390a-4b46-457c-95b9-e59a5e62b57d",
"files": [
{
<rest of output omitted>In a Github Actions workflow:
jobs:
sbom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: psastras/sbom-rs/actions/install-cargo-sbom@cargo-sbom-latest
- name: Run cargo-sbom
run: cargo-sbom --output-format=cyclone_dx_json_1_4Assumming osv-scanner is installed (see https://osv.dev/)
$ cargo-sbom > sbom.spdx.json
$ osv-scanner --sbom=sbom.spdx.json
Scanned sbom.json as SPDX SBOM and found 91 packages
╭─────────────────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────╮
│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │
├─────────────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────┤
│ https://osv.dev/GHSA-wcg3-cvx6-7396 │ 6.2, │ crates.io │ time │ 0.1.45 │ sbom.json │
│ https://osv.dev/RUSTSEC-2020-0071 │ 6.2 │ │ │ │ │
╰─────────────────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────╯cargo-sbom may be installed via cargo, cargo-binstall or directly downloaded from the
corresponding Github release.
cargo install cargo-sbomcargo binstall cargo-sbomThe latest version is continuously published and tagged.
Using curl,
# make sure to adjust the target and version (you may also want to pin to a specific version)
curl -sSL https://github.com/psastras/sbom-rs/releases/download/cargo-sbom-latest/cargo-sbom-x86_64-unknown-linux-gnu -o cargo-sbomSee each subproject for more detailed information:
cargo-sbom: CLI tool to produce an SBOM from a Cargo workspace. See the Rust documentation.serde-cyclonedx: Typesafe CycloneDX structures for serializing and deserializing CycloneDX information using serde. See the Rust documentation.serde-spdx: Typesafe SPDX structures for serializing and deserializing SPDX information using serde. See the Rust documentation.actions: Github actions to usecargo-sbomand related tools in CI workflows See the README.md for documentaiton.
Before you begin, ensure the following programs are available on your machine:
Assuming cargo is installed on your machine, the standard cargo commands can
be run to build and test all projects in the workspace:
cargo build
cargo testFor more information on specific configurations, refer to the
cargo documentation.
To release a new version (publish to crates.io), prefix the head commit with release: and update the relevant rust crate versions. Once merged into main the pipeline should pick up the change and publish a new version.
License: MIT