Rust binaries can statically link to native libraries generated by build scripts. These libraries should be included in the SBOM.
cargo build
JSON messages can show what libraries are linked (via the linked_libs
field) , and the linker search paths configured by the build script. cargo-spdx could use this to look for the linked libraries.
Examples (from cargo build --message-format json | grep build-script
of cargo-spdx itself):
{"reason":"build-script-executed","package_id":"openssl-sys 0.9.74 (registry+https://github.com/rust-lang/crates.io-index)","linked_libs":["static=ssl","static=crypto"],"linked_paths":["native=/home/tom/.target/debug/build/openssl-sys-15856e134bacc665/out/openssl-build/install/lib"],"cfgs":["const_fn","osslconf=\"OPENSSL_NO_COMP\"","osslconf=\"OPENSSL_NO_SSL3_METHOD\"","osslconf=\"OPENSSL_NO_SEED\"","ossl101","ossl102","ossl102f","ossl102h","ossl110","ossl110f","ossl110g","ossl110h","ossl111","ossl111b","ossl111c"],"env":[],"out_dir":"/home/tom/.target/debug/build/openssl-sys-15856e134bacc665/out"}
{"reason":"build-script-executed","package_id":"libssh2-sys 0.2.23 (registry+https://github.com/rust-lang/crates.io-index)","linked_libs":["static=ssh2"],"linked_paths":["native=/home/tom/.target/debug/build/libssh2-sys-eb5dddeb5944716b/out/build"],"cfgs":[],"env":[],"out_dir":"/home/tom/.target/debug/build/libssh2-sys-eb5dddeb5944716b/out"}
{"reason":"build-script-executed","package_id":"libgit2-sys 0.13.4+1.4.2 (registry+https://github.com/rust-lang/crates.io-index)","linked_libs":["static=git2"],"linked_paths":["native=/home/tom/.target/debug/build/libgit2-sys-ebe9f6f73e42c271/out/build"],"cfgs":["libgit2_vendored"],"env":[],"out_dir":"/home/tom/.target/debug/build/libgit2-sys-ebe9f6f73e42c271/out"}
The out_dir typically contains the sources used to build the linked library - suspect we should include SBOM entries for all files in the out_dir.