search

CycloneDX / cyclonedx-rust-cargo

Creates CycloneDX Software Bill of Materials (SBOM) from Rust (Cargo) projects
https://cyclonedx.org/
Apache License 2.0
100 stars 43 forks source link

Capture data only available during the build process #532

Open Shnatsel opened 11 months ago

Shnatsel commented 11 months ago

There is a certain amount of data that is only available during or after the actual build, such as a hash of the resulting binary, the RUSTFLAGS used (not just from the environment variable but also from the Cargo configuration), etc.

There are two ways to implement it:

  1. Hook into the build process, similar to how https://github.com/rust-secure-code/cargo-auditable works
  2. The hypothetical "build info" file that's being discussed by the Cargo team could be used to achieve this.
Shnatsel commented 11 months ago

cargo build -Z unstable-options --build-plan might also help. I have not investigated it in detail. It will be still missing the hash of the final binary, etc.

lfrancke commented 11 months ago

There is a ticket to maybe delete build-plan support so I would not recommend relying on it.

In any case it is the plan on what will run not what did run. The idea of @epage @arlosi was to introduce a machine readable file ("build info") that records everything that actually was built (and how).

There is no tracking issue for this yet but I hope that we'll have something soon.

Shnatsel commented 11 months ago

The build-info pre-RFC can be found here: https://internals.rust-lang.org/t/pre-rfc-cargo-sbom/19842