sbom-rs
A group of Rust projects for interacting with and producing software bill of materials (SBOMs).
Examples
cargo-sbom
Create a SPDX SBOM for a Cargo project
In a shell:
$ cargo sbom
{
"SPDXID": "SPDXRef-DOCUMENT",
"creationInfo": {
"created": "2023-07-04T12:38:15.211Z",
"creators": [
"Tool: cargo-sbom-v0.8.4"
]
},
"dataLicense": "CC0-1.0",
"documentNamespace": "https://docs.rs/cargo_sbom/spdxdocs/cargo-sbom-0.8.4-9cae390a-4b46-457c-95b9-e59a5e62b57d",
"files": [
{
<rest of output omitted>
Create a CycloneDx SBOM in Github Actions
In a Github Actions workflow:
jobs:
sbom:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: psastras/sbom-rs/actions/install-cargo-sbom@cargo-sbom-latest
- name: Run cargo-sbom
run: cargo-sbom --output-format=cyclone_dx_json_1_4
Check Dependencies against the Open Source Vulnerability Database (OSV)
Assumming osv-scanner
is installed (see https://osv.dev/)
$ cargo-sbom > sbom.spdx.json
$ osv-scanner --sbom=sbom.spdx.json
Scanned sbom.json as SPDX SBOM and found 91 packages
╭─────────────────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────╮
│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │
├─────────────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────┤
│ https://osv.dev/GHSA-wcg3-cvx6-7396 │ 6.2, │ crates.io │ time │ 0.1.45 │ sbom.json │
│ https://osv.dev/RUSTSEC-2020-0071 │ 6.2 │ │ │ │ │
╰─────────────────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────╯
Install
cargo-sbom
cargo-sbom
may be installed via cargo
, cargo-binstall or directly downloaded from the corresponding Github release.
Cargo
cargo install cargo-sbom
Cargo-binstall
cargo binstall cargo-sbom
Github Releases
The latest version is continuously published and tagged.
Using curl
,
# make sure to adjust the target and version (you may also want to pin to a specific version)
curl -sSL https://github.com/psastras/sbom-rs/releases/download/cargo-sbom-latest/cargo-sbom-x86_64-unknown-linux-gnu -o cargo-sbom
Documentation
See each subproject for more detailed information:
cargo-sbom
: CLI tool to produce an SBOM from a Cargo workspace. See the Rust documentation.serde-cyclonedx
: Typesafe CycloneDX structures for serializing and deserializing CycloneDX information using serde. See the Rust documentation.serde-spdx
: Typesafe SPDX structures for serializing and deserializing SPDX information using serde. See the Rust documentation.actions
: Github actions to usecargo-sbom
and related tools in CI workflows See the README.md for documentaiton.
Development
Before you begin, ensure the following programs are available on your machine:
Assuming cargo
is installed on your machine, the standard cargo
commands can be run to build and test all projects in the workspace:
cargo build
cargo test
For more information on specific configurations, refer to the cargo
documentation.
Releasing
To release a new version (publish to crates.io), prefix the head commit with release:
and update the relevant rust crate versions. Once merged into main the pipeline should pick up the change and publish a new version.
License: MIT