1 stable release
3.1.0 | Feb 27, 2025 |
---|
#11 in #cyclone-dx
151 downloads per month
2KB
CycloneDX Rust (Cargo) Plugin
The CycloneDX module for Rust (Cargo) creates a valid CycloneDX Software Bill of Materials (SBOM) containing an aggregate of all project dependencies. OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard providing advanced supply chain capabilities for cyber risk reduction.
Structure
This repository contains two separate projects:
cyclonedx-bom
is a Rust library to read and write CycloneDX SBOMs to and from Rust structs.cargo-cyclonedx
is a Rust application, which generates CycloneDX SBOMs for Cargo based Rust projects (it usescyclonedx-bom
for that purpose).
Usage
Execute cargo-cyclonedx
from within a Rust project directory containing Cargo.toml.
Installing
cargo install cargo-cyclonedx
Executing binary
~/.cargo/bin/cargo-cyclonedx cyclonedx
Executing from cargo
cargo cyclonedx
Security considerations
cargo-cyclonedx
calls into Cargo internally to get information about a Rust project. Like nearly any other build system,
Cargo may run arbitrary code
when invoked on an untrusted project, so cargo-cyclonedx
should not be called on untrusted projects either.
Some of the other tools for generating CycloneDX SBOMs do not invoke Cargo and only parse the Cargo.lock
file.
However, the only way to generate the Cargo.lock
file for them to scan is to invoke Cargo, so this issue is currently unavoidable for any tool that describes a Cargo project.
Contributing
Contributions are welcome.
See our CONTRIBUTING.md
for details.
Bug Bounty
We are running a Bug Bounty program financed by the Bug Resilience Program of the Sovereign Tech Fund. Thank you very much!
Copyright & License
CycloneDX Rust Cargo is Copyright (c) OWASP Foundation. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.