lfrancke
commented
3 months ago Hi, I'm one of the maintainers of the cyclonedx-rust-cargo project providing a library to read and write CycloneDX SBOMs as well as a CLI tool to generate them for Rust projects.
If you have any questions or anything is missing please feel free to ping us. We also have a Slack channel in the CycloneDX Slack
alilleybrinker
Hipcheck already supports SPDX 2.3 SBOMs as targets, and tries to extract source repository information out of them. At the time this support was added, the existing Rust libraries for ingesting CycloneDX documents were poor quality and in particular had severe limitations around many fields being mistakenly private in the parsed documents with no accessor methods provided either. This meant while we could parse CycloneDX documents, we couldn't use the data in the parsed documents for anything.
This was a couple of years ago, and the state of CycloneDX tooling in Rust has improved substantially. We should revisit this and add support for CycloneDX SBOMs as targets.