rust-secure-code / cargo-auditable

Make production Rust binaries auditable
Apache License 2.0
646 stars 28 forks source link

Out of the box support for other formats #97

Closed ctron closed 1 year ago

ctron commented 1 year ago

Assuming I want to leverage the information generated by a built using cargo auditable, I can extract the information using the tool rust-audit-info. However, this uses the internal JSON format.

In order to make to work with other tools, I need to convert the information into another format, like CycloneDX's SBOM.

I could do this by piping the output of rust-audit-info into my own tool, and convert the format. But I think it would be nice to have:

ctron commented 1 year ago

I started to play with idea as part of a PoC: https://github.com/ctron/ktt

Shnatsel commented 1 year ago

rust-audit-info is deliberately minimal, but I would welcome other tools for working with the format. I'm happy to link to your tool from the README, etc.

That said, https://github.com/anchore/syft can convert this data to a variety of formats already, so implementing my own converter was not a priority.

ctron commented 1 year ago

That is very kind, but I am not sure linking to this tool provides much value at the moment :)

I also completely understand the idea of keeping this crate minimal.

I also saw cargo audit, so maybe this would be a functionality which would be more suitable for something like cargo audit bin --sbom? So this is more like a discussion at the root level of the issue :)

One thing I already noticed is that some information is missing for other formats. Things like authors, licenses, descriptions, links, … but I guess this is something to discuss in another issue.

But having some translation functionality (not necessarily in rust-audit-info) might make this problem more transparent. And cargo auditable is the root source of this information.

Anyway, I am more exploring and looking for input than suggesting anything :)

Shnatsel commented 1 year ago

I'm going to close this as a work item for cargo auditable because https://github.com/anchore/syft already provides this today, but I'm happy to see more tools in this are and I'm happy to help if anyone ends up making them.

Shnatsel commented 8 months ago

I have written a native Rust converter from the cargo auditable format to CycloneDX. It can be used both as a CLI binary via auditable2cdx and as a library crate auditable-cyclonedx.