Closed ctron closed 1 year ago
I started to play with idea as part of a PoC: https://github.com/ctron/ktt
rust-audit-info
is deliberately minimal, but I would welcome other tools for working with the format. I'm happy to link to your tool from the README, etc.
That said, https://github.com/anchore/syft can convert this data to a variety of formats already, so implementing my own converter was not a priority.
That is very kind, but I am not sure linking to this tool provides much value at the moment :)
I also completely understand the idea of keeping this crate minimal.
I also saw cargo audit
, so maybe this would be a functionality which would be more suitable for something like cargo audit bin --sbom
? So this is more like a discussion at the root level of the issue :)
One thing I already noticed is that some information is missing for other formats. Things like authors, licenses, descriptions, links, … but I guess this is something to discuss in another issue.
But having some translation functionality (not necessarily in rust-audit-info
) might make this problem more transparent. And cargo auditable
is the root source of this information.
Anyway, I am more exploring and looking for input than suggesting anything :)
I'm going to close this as a work item for cargo auditable
because https://github.com/anchore/syft already provides this today, but I'm happy to see more tools in this are and I'm happy to help if anyone ends up making them.
I have written a native Rust converter from the cargo auditable
format to CycloneDX. It can be used both as a CLI binary via auditable2cdx
and as a library crate auditable-cyclonedx
.
Assuming I want to leverage the information generated by a built using
cargo auditable
, I can extract the information using the toolrust-audit-info
. However, this uses the internal JSON format.In order to make to work with other tools, I need to convert the information into another format, like CycloneDX's SBOM.
I could do this by piping the output of
rust-audit-info
into my own tool, and convert the format. But I think it would be nice to have:rust-audit-info