Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

feat: implement RFC 3553 to add SBOM support #13709

Merged
merged 1 commit into from
Feb 26, 2025
Merged

feat: implement RFC 3553 to add SBOM support #13709

merged 1 commit into from
Feb 26, 2025

Conversation

justahero
Copy link
Contributor

@justahero justahero commented Apr 5, 2024
edited by epage
Loading

What does this PR try to resolve?

This PR is an implementation of RFC 3553 to add support to generate pre-cursor SBOM files for compiled artifacts in Cargo.

How should we test and review this PR?

The RFC 3553 adds a new option to Cargo to emit SBOM pre-cursor files. A project can be configured either by the new Cargo config field sbom.

# .cargo/config.toml
[build]
sbom = true

or using the environment variable CARGO_BUILD_SBOM=true. The sbom option is an unstable feature and requires the -Zsbom flag to enable it.

Check out this branch & compile Cargo. Pick a Cargo project to test it on, then run:

CARGO_BUILD_SBOM=true <path/to/compiled/cargo>/target/debug/cargo build -Zsbom

All generated *.cargo-sbom.json files are located in the target folder alongside their artifacts. To list all generated files use:

find ./target -name "*.cargo-sbom.json"

then check their content. To see the current output format, see these examples.

What does the PR not solve?

The PR leaves a task(s) open that are either out of scope or should be done in a follow-up PRs.

Additional information

There are a few things that I would like to get feedback on, in particular the generated JSON format is not final. Currently it holds the information listed in the RFC 3553, but it could be further enriched with information only available during builds.

During the implementation a number of questions arose:

  • Should the graph be packages or crates?
    • The unit graph that the SBOM is based on is units. The current SBOM graph is identical to the unit graph, with the run build script nodes merged with building build scripts.
    • Artifact dependencies may impact this
  • Which outputs should get SBOMs files?
    • Currently: executables (including examples and tests), dylib, cdylib, staticlib
  • How do we refer to "normal" dependencies? feat: implement RFC 3553 to add SBOM support #13709 (comment)
  • What case should we use? feat: implement RFC 3553 to add SBOM support #13709 (comment)
  • Should this be build.sbom or profile.*.sbom
  • Is sbom the right name for this?

Thanks @arlosi, @RobJellinghaus and @lfrancke for initial guidance & feedback.

@rustbot
Copy link
Collaborator

rustbot commented Apr 5, 2024

Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @ehuss (or someone else) some time within the next two weeks.

Please see the contribution instructions for more information. Namely, in order to ensure the minimum review times lag, PR authors and assigned reviewers should ensure that the review label (S-waiting-on-review and S-waiting-on-author) stays updated, invoking these commands when appropriate:

  • @rustbot author: the review is finished, PR author should check the comments and take action accordingly
  • @rustbot review: the author is ready for a review, this PR will be queued again in the reviewer's queue

@rustbot rustbot added A-build-execution Area: anything dealing with executing the compiler A-configuration Area: cargo config files and env vars A-unstable Area: nightly unstable support S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Apr 5, 2024
@justahero justahero force-pushed the rfc3553/cargo-sbom-support branch from 74dafa0 to 190682e Compare April 6, 2024 14:31
@heisen-li
Copy link
Contributor

Much respect for your contribution.

From my kind reminders, it seems appropriate to modify the documentation of the corresponding sections, e.g. Configuration, Environment Variables.

@weihanglo
Copy link
Member

Thanks for the reminder, @heisen-li. Would love to see a doc update, though we should probably focus on the design discussion first, as the location of the configuration is not yet decided. (See rust-lang/rfcs#3553 (comment)).

@epage
Copy link
Contributor

epage commented Apr 9, 2024

One approach for the docs (if this is looking to be merged) is to put the env and config documentation fragments in the Unstable docs.

@justahero justahero force-pushed the rfc3553/cargo-sbom-support branch from 190682e to ae0881c Compare May 2, 2024 19:54
weihanglo
weihanglo reviewed May 2, 2024
View reviewed changes
weihanglo
weihanglo reviewed May 2, 2024
View reviewed changes
Copy link
Member

@weihanglo weihanglo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just note that I reviewed this as-is, didn't really think too much for the design itself. Thank you for working on this!

@bors
Copy link
Contributor

bors commented May 3, 2024

☔ The latest upstream changes (presumably #13571) made this pull request unmergeable. Please resolve the merge conflicts.

@justahero justahero force-pushed the rfc3553/cargo-sbom-support branch 4 times, most recently from 1cfd71a to 376fe1e Compare May 6, 2024 13:42
@rustbot rustbot added the A-documenting-cargo-itself Area: Cargo's documentation label May 6, 2024
@justahero justahero force-pushed the rfc3553/cargo-sbom-support branch 4 times, most recently from 67332d6 to 0aa10e9 Compare May 7, 2024 11:13
@justahero justahero marked this pull request as ready for review May 7, 2024 11:53
weihanglo
weihanglo reviewed May 8, 2024
View reviewed changes
Copy link
Member

@weihanglo weihanglo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now I like the idea of having this PR to explore SBOM format. I'll post back issues we've found so far to the RFC. Thank you :)

@weihanglo weihanglo mentioned this pull request May 8, 2024
Open
arlosi
arlosi reviewed May 8, 2024
View reviewed changes
@justahero justahero force-pushed the rfc3553/cargo-sbom-support branch from c8e1bc8 to 8d5fa4d Compare May 13, 2024 12:33
@arlosi arlosi force-pushed the rfc3553/cargo-sbom-support branch from e93e3b0 to 7266454 Compare February 8, 2025 17:40
@rustbot

This comment has been minimized.

# to view
weihanglo
weihanglo reviewed Feb 13, 2025
View reviewed changes
@arlosi arlosi force-pushed the rfc3553/cargo-sbom-support branch 2 times, most recently from d453ce3 to 7bc86db Compare February 19, 2025 16:42
epage
epage reviewed Feb 19, 2025
View reviewed changes
@arlosi arlosi force-pushed the rfc3553/cargo-sbom-support branch 3 times, most recently from 62b773e to e38cf70 Compare February 20, 2025 23:41
@rustbot

This comment has been minimized.

# to view
@arlosi arlosi force-pushed the rfc3553/cargo-sbom-support branch 2 times, most recently from 4914dac to 70e4ca9 Compare February 26, 2025 20:22
@rustbot rustbot added A-cfg-expr Area: Platform cfg expressions A-dep-info Area: dep-info, .d files A-layout Area: target output directory layout, naming, and organization A-rebuild-detection Area: rebuild detection and fingerprinting labels Feb 26, 2025
@arlosi
Copy link
Contributor

arlosi commented Feb 26, 2025

I've updated the PR and it should be ready for another round of review. Notable changes include:

  • The graph is no longer combining dependencies within the same package. This means that things like libs and build scripts within a package get unique nodes in the graph.
  • The SBOM is listed in the JSON output as an output file.
  • Added a test for RUSTC_WRAPPER

@arlosi
feat: Add SBOM pre-cursor files
5f833db 
Adds a new option `build.sbom` that adds generation of a JSON file
containing dependency information alongside compiled artifacts.
@arlosi arlosi force-pushed the rfc3553/cargo-sbom-support branch from 70e4ca9 to 5f833db Compare February 26, 2025 20:57
@epage epage enabled auto-merge February 26, 2025 20:59
@epage epage added this pull request to the merge queue Feb 26, 2025
Merged via the queue into rust-lang:master with commit 7ea222d Feb 26, 2025
23 checks passed
@justahero
Copy link
Contributor Author

Huge thank you @arlosi & to the cargo team for investing the time & effort to get this feature integrated. 🎉

@weihanglo weihanglo mentioned this pull request Feb 28, 2025
Merged
bors added a commit to rust-lang-ci/rust that referenced this pull request Feb 28, 2025
@bors
Auto merge of rust-lang#137791 - weihanglo:update-cargo, r=weihanglo
2874876 
Update cargo

11 commits in 1d1d646c06a84c1aa53967b394b7f1218f85db82..2622e844bc1e2e6123e54e94e4706f7b6195ce3d
2025-02-21 21:38:53 +0000 to 2025-02-28 12:33:57 +0000
- Bump `cc` to 1.2.16 to fix `x86` windows jobs in rust-lang/rust CI (rust-lang/cargo#15245)
- refactor(tree): Abstract the concept of a NodeId (rust-lang/cargo#15237)
- feat: implement RFC 3553 to add SBOM support (rust-lang/cargo#13709)
- refactor(tree): Abstract the concept of an edge (rust-lang/cargo#15233)
- chore: bump openssl to v3 (rust-lang/cargo#15232)
- fix(package): Register workspace member renames in overlay  (rust-lang/cargo#15228)
- Implemented `build.build-dir` config option (rust-lang/cargo#15104)
- feat: add completions for `--manifest-path` (rust-lang/cargo#15225)
- chore: semver-check build-rs against beta channel (rust-lang/cargo#15223)
- chore: depend on openssl-sys to correctly pin its version (rust-lang/cargo#15224)
- chore: dont check cargo-util semver until 1.86 is released (rust-lang/cargo#15222)
@rustbot rustbot added this to the 1.87.0 milestone Feb 28, 2025
@taiki-e taiki-e mentioned this pull request Mar 1, 2025
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@Shnatsel Shnatsel Shnatsel left review comments

@arlosi arlosi arlosi left review comments

@weihanglo weihanglo weihanglo left review comments

@epage epage epage approved these changes

Assignees

@ehuss ehuss

Labels
A-build-execution Area: anything dealing with executing the compiler A-cfg-expr Area: Platform cfg expressions A-configuration Area: cargo config files and env vars A-dep-info Area: dep-info, .d files A-documenting-cargo-itself Area: Cargo's documentation A-layout Area: target output directory layout, naming, and organization A-rebuild-detection Area: rebuild detection and fingerprinting A-testing-cargo-itself Area: cargo's tests A-unstable Area: nightly unstable support S-waiting-on-review Status: Awaiting review from the assignee but also interested parties.
Projects
None yet
Milestone
1.87.0
Development

Successfully merging this pull request may close these issues.
9 participants
@justahero @rustbot @heisen-li @weihanglo @epage @bors @arlosi @Shnatsel @ehuss