search

CycloneDX / cyclonedx-rust-cargo

Creates CycloneDX Software Bill of Materials (SBOM) from Rust (Cargo) projects
https://cyclonedx.org/
Apache License 2.0
97 stars 43 forks source link

Metadata components should not have sub-components #763

Open empwilli opened 4 weeks ago

empwilli commented 4 weeks ago

As of now, cargo-cyclonedx explicitly creates sub-components for the component entry in the metadata for the respective compilation targets.

This appears to contradict with the suggestions in the Authoritative Guide to SBOM, that states, that "The SBOM should have a single bom.metadata.component without subcomponents".

This has the consequence, that generated SBoMs currently cannot be properly processed by third-party tools, e.g., Dependency Track.

Shnatsel commented 4 weeks ago

More specifically, the guide states that subcomponents should be used in case of a "Multi-Product Solution" rather than a "Multi-Module Product".

You can work around this today with --describe=binaries, but perhaps we should adjust the --describe=crate mode and/or switch to a better default.

Could you share the exact error that DependencyTrack reports?

empwilli commented 4 weeks ago

Hi, thanks for your advice.

You can work around this today with --describe=binaries, but perhaps we should adjust the --describe=crate mode and/or switch to a better default.

Sadly, I don't see too much difference in the resulting SBoMs:

 >  cargo cyclonedx --describe=crate -a
 >  cargo cyclonedx --describe=binaries -a
 >  diff my-project*.xml
2c2
< <bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:5409cd74-0ee9-4d79-a6ff-59855524e122" version="1">
---
> <bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:74c46a33-405f-49e2-980d-a592c338df5a" version="1">
4c4
<     <timestamp>2024-08-23T06:07:23.503610541Z</timestamp>
---
>     <timestamp>2024-08-23T06:07:14.152732469Z</timestamp>
25c25
<       <purl>pkg:cargo/my-project@0.1.0?download_url=file://.#src/main.rs</purl>
---
>       <purl>pkg:cargo/my-project@0.1.0?download_url=file://.</purl>

Could you share the exact error that DependencyTrack reports?

It boils down to parsing errors with Jackson in the cyclonedx-core-java package, I've already filed a bug over there, the Dependency Track error logs then contain the stack trace I quoted in https://github.com/CycloneDX/cyclonedx-core-java/issues/447#issue-2392192057.

Edit: formatting