Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Surface Rust dependency relationships #2353

Closed
Dungeon1 opened this issue Nov 24, 2023 · 5 comments · Fixed by #3443
Closed

Surface Rust dependency relationships #2353

Dungeon1 opened this issue Nov 24, 2023 · 5 comments · Fixed by #3443
Assignees
@willmurphyscode
Labels
ecosystem:rust relating to the rust ecosystem enhancement New feature or request

Comments

@Dungeon1
Copy link

What happened:
Syft not created "dependencies" in cyclonedx report for Go, Rust, Java and etc.
Cargo.lock had "dependencies". View like

[[package]]
name = "yaserde"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4bf52af554a50b866aaad63d7eabd6fca298db3dfe49afd50b7ba5a33dfa0582"
dependencies = [
 "log",
 "xml-rs",
 "yaserde_derive",
]

But output syft doesnt reflect this
What you expected to happen:
Want full cyclonedx report with "dependencies" and "depensOn" included

Steps to reproduce the issue:
syft -o cyclone-dx-json@1.5 Cargo.lock > report.json

Anything else we need to know?:

Environment:
Syft 0.94
@Dungeon1 Dungeon1 added the bug Something isn't working label Nov 24, 2023
@tgerla
Copy link
Contributor

tgerla commented Nov 27, 2023

Hi @Dungeon1, thanks for the report. I can confirm that the dependencies show up in the syft-json format output, but not the cyclonedx-json or cyclonedx-xml output. I will confirm with the team if this is expected behavior or not and get back to when we are able to look. Thanks again.

@tgerla tgerla self-assigned this Nov 27, 2023
@kzantow kzantow mentioned this issue Nov 30, 2023
Open
42 tasks
@wagoodman
Copy link
Contributor

I'm trying to understand the details. To be clear, this cargo.lock is not sufficient to show all dependencies in the SBOM:

[[package]]
name = "winapi"
version = "0.3.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
dependencies = [
 "winapi-i686-pc-windows-gnu",
 "winapi-x86_64-pc-windows-gnu",
]

But this would:

[[package]]
name = "winapi"
version = "0.3.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
dependencies = [
 "winapi-i686-pc-windows-gnu",
 "winapi-x86_64-pc-windows-gnu",
]

[[package]]
name = "winapi-i686-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"

[[package]]
name = "winapi-x86_64-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"

Assuming that you have a cargo.lock file that looks like the last example, I think you're really asking why are there not relationships between all of the nodes in your SBOM to show how the nodes are related. If that's true, you're right, we haven't done that work yet. We have another issue to add these for all ecosystems #572 . The nice thing about the rust cataloger is that, for this specific ecosystem, this looks to be low hanging fruit (ready to be implemented around here, correlating the .metadata.dependencies discovered with the names of the packages created)

@tgerla tgerla moved this to Awaiting Response in OSS Dec 7, 2023
@tgerla tgerla removed their assignment Dec 7, 2023
@Dungeon1
Copy link
Author

@wagoodman I ran on Cargo.lock like your example.

@Dungeon1
Copy link
Author

Cargo.lock had dependencies, but syft not building dependencies with dependsOn.

@tgerla tgerla removed the status in OSS Dec 14, 2023
@willmurphyscode willmurphyscode moved this to Backlog in OSS Jan 3, 2024
@willmurphyscode
Copy link
Contributor

I was also able reproduce this. It looks like syft is detecting the dependencies (because they show up in o json), but isn't writing them down in cyclonedx-json. Moving to the backlog, thanks for the report!

@tgerla tgerla mentioned this issue May 2, 2024
Open
@kzantow kzantow added the ecosystem:rust relating to the rust ecosystem label Oct 23, 2024
@kzantow kzantow changed the title Syft not created "dependencies" in cyclonedx report Surface Rust dependency relationships Oct 23, 2024
@willmurphyscode willmurphyscode self-assigned this Nov 14, 2024
@willmurphyscode willmurphyscode moved this from Backlog to In Progress in OSS Nov 14, 2024
@willmurphyscode willmurphyscode mentioned this issue Nov 14, 2024
Merged
3 tasks
@willmurphyscode willmurphyscode added enhancement New feature or request and removed bug Something isn't working labels Nov 14, 2024
@willmurphyscode willmurphyscode moved this from In Progress to In Review in OSS Nov 14, 2024
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Nov 14, 2024
@BrewTestBot BrewTestBot mentioned this issue Nov 21, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@willmurphyscode willmurphyscode

Labels
ecosystem:rust relating to the rust ecosystem enhancement New feature or request
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: emit dependency relationships found in Cargo.lock anchore/syft
5 participants
@tgerla @wagoodman @kzantow @willmurphyscode @Dungeon1