Cyclonedx rust cargo
Creates CycloneDX Software Bill of Materials (SBOM) from Rust (Cargo) projects
The CycloneDX module for Rust (Cargo) creates a valid CycloneDX Software Bill of Materials (SBOM) containing an aggregate of all project dependencies. OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard providing advanced supply chain capabilities for cyber risk reduction. The project is written primarily in Rust, distributed under the Apache License 2.0 license, first published in 2019. Key topics include: bill-of-materials, bom, cargo, cargo-plugin, cyclonedx.
CycloneDX Rust (Cargo) Plugin
The CycloneDX module for Rust (Cargo) creates a valid CycloneDX Software Bill of Materials (SBOM) containing an
aggregate of all project dependencies.
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard providing advanced supply chain capabilities for cyber risk reduction.
Structure
This repository contains two separate projects:
cyclonedx-bomis a Rust library to read and write CycloneDX SBOMs to and from Rust structs.cargo-cyclonedxis a Rust application, which generates CycloneDX SBOMs for Cargo based Rust projects (it usescyclonedx-bomfor that purpose).
Usage
Execute cargo-cyclonedx from within a Rust project directory containing Cargo.toml.
Installing
bashcargo install cargo-cyclonedx
Executing binary
bash~/.cargo/bin/cargo-cyclonedx cyclonedx
Executing from cargo
bashcargo cyclonedx
Security considerations
cargo-cyclonedx calls into Cargo internally to get information about a Rust project. Like nearly any other build system,
Cargo may run arbitrary code
when invoked on an untrusted project, so cargo-cyclonedx should not be called on untrusted projects either.
Some of the other tools for generating CycloneDX SBOMs do not invoke Cargo and only parse the Cargo.lock file.
However, the only way to generate the Cargo.lock file for them to scan is to invoke Cargo, so this issue is currently unavoidable for any tool that describes a Cargo project.
Contributing
Contributions are welcome.
See our CONTRIBUTING.md for details.
Copyright & License
CycloneDX Rust Cargo is Copyright (c) OWASP Foundation. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.
Contributors
Showing top 12 contributors by commit count.
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4)
Related Repositories
DependencyTrack/dependency-track
Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
hildogjr/KiCost
Build cost spreadsheet for a KiCad project.
CycloneDX/specification
OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX
CycloneDX/cyclonedx-cli
CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.
CycloneDX/cyclonedx-python
CycloneDX Software Bill of Materials (SBOM) generator for Python projects and environments
spdx/spdx-spec
The System Package Data Exchange (SPDX) specification in Markdown and HTML formats.