CycloneDX Rust (Cargo) Plugin

The CycloneDX module for Rust (Cargo) creates a valid CycloneDX Software Bill of Materials (SBOM) containing an aggregate of all project dependencies. OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard providing advanced supply chain capabilities for cyber risk reduction.

Structure

This repository contains two separate projects:

• cyclonedx-bom is a Rust library to read and write CycloneDX SBOMs to and from Rust structs.
• cargo-cyclonedx is a Rust application, which generates CycloneDX SBOMs for Cargo based Rust projects (it uses cyclonedx-bom for that purpose).

Usage

Execute cargo-cyclonedx from within a Rust project directory containing Cargo.toml.

Installing

cargo install cargo-cyclonedx

Executing binary

~/.cargo/bin/cargo-cyclonedx cyclonedx

Executing from cargo

cargo cyclonedx

Security considerations

cargo-cyclonedx calls into Cargo internally to get information about a Rust project. Like nearly any other build system, Cargo may run arbitrary code when invoked on an untrusted project, so cargo-cyclonedx should not be called on untrusted projects either.

Some of the other tools for generating CycloneDX SBOMs do not invoke Cargo and only parse the Cargo.lock file. However, the only way to generate the Cargo.lock file for them to scan is to invoke Cargo, so this issue is currently unavoidable for any tool that describes a Cargo project.

Contributing

Contributions are welcome. See our CONTRIBUTING.md for details.

Bug Bounty

We are running a Bug Bounty program financed by the Bug Resilience Program of the Sovereign Tech Fund. Thank you very much!

Copyright & License

CycloneDX Rust Cargo is Copyright (c) OWASP Foundation. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.