Add file information to SBOMs

tofay commented 2 years ago

Follows on from https://github.com/alilleybrinker/cargo-spdx/pull/9. Not worth reviewing this in detail until that's resolved.

Read the relevant rustc/cargo dep-info files to determine the source files used in the build.

For dependent libraries rustc produces an rmeta file and dep-info file. The rmeta file is included in the cargo build messages, and is used to navigate to the dep_info file
For the binary, cargo outputs the dep-info file next to the binary: https://doc.rust-lang.org/cargo/guide/build-cache.html#dep-info-files
These are then included in the SBOM relative to the owning package root, to avoid leaking any host specific paths into the SBOMs. A relationship is added between each file and its owning package, which is already a dependency of the binary from changes in https://github.com/alilleybrinker/cargo-spdx/pull/9.

tofay commented 2 years ago

I've rebased, this is ready for review now.

tofay commented 2 years ago

I added the https://github.com/tofay/cargo-spdx/commit/992cd855f47b48d8485f9c722d2ffbbd84c45478 changes here too, to use cargo package --list to get source files in the current workspace.

alilleybrinker commented 2 years ago

LGTM!

alilleybrinker / cargo-spdx