Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature awareness? #226

Closed
jadamcrain opened this issue Aug 12, 2022 · 9 comments
Closed

Feature awareness? #226

jadamcrain opened this issue Aug 12, 2022 · 9 comments
Labels
cargo-cyclonedx Issues related to the Cargo SBOM generation application enhancement New feature or request

Comments

@jadamcrain
Copy link

jadamcrain commented Aug 12, 2022
edited

My use case is building FFI libraries that can distributed as C binary headers, but also embedded in Java Jars and Nuget pacakges.

A couple of questions:

  1. Some of my customers want to exclude certain features from builds. Is this tool feature aware?
  2. Can the tool exclude build-only dependencies? I've noticed that by default is includes them.
  3. Is the purl standardized for Rust somewhere in the spec? What should the purl be for crates not distributed via crates.io?
@jadamcrain jadamcrain mentioned this issue Aug 12, 2022
Closed
@amy-keibler amy-keibler added enhancement New feature or request cargo-cyclonedx Issues related to the Cargo SBOM generation application labels Aug 17, 2022
@amy-keibler
Copy link
Collaborator

These are all good questions

  1. Some of my customers want to exclude certain features from builds. Is this tool feature aware?

Not currently. In this issue, I outlined a few potential areas I want to investigate. It's one of my highest priority items after we complete the work to integrate the library with the cargo plugin.

  1. Can the tool exclude build-only dependencies? I've noticed that by default is includes them.

Not currently. This somewhat falls under the first point, but it's probably worth having a separate GitHub issue to track it.

  1. Is the purl standardized for Rust somewhere in the spec? What should the purl be for crates not distributed via crates.io?

The purl specification does not indicate a required type specific to Rust, beyond

type: the package "type" or package "protocol" such as maven, npm, nuget, gem, pypi, etc. Required.

We could interpret this to mean that cargo is the "protocol", which would cover third party repositories. This probably needs its own GitHub issue for tracking.

@jadamcrain
Copy link
Author

Thanks for these detailed answers!

This was referenced Aug 21, 2022
Closed
Open
@lfrancke lfrancke mentioned this issue Oct 28, 2023
Merged
@lfrancke
Copy link
Contributor

We should now exclude build only dependencies in main and #512 and #513 will help with selecting features and targets

@Shnatsel
Copy link
Contributor

To clarify: only dev-dependencies are excluded. Build dependencies are included in the SBOM because unlike dev-dependencies they can influence the final binary.

@lfrancke
Copy link
Contributor

Ah yes, sorry, my bad.

@jadamcrain
Copy link
Author

Including build dependencies make sense! Thanks for the update.

@lfrancke
Copy link
Contributor

So that should fix points 1 and 2 of your list. I don't think we have tackled purls for non crates things yet anywhere but I might have missed it as well.

@Shnatsel
Copy link
Contributor

There is a tracking issue fir pURL from sources other than crates.io: #501

I am not aware of any standardization around that though.

@lfrancke
Copy link
Contributor

Thanks. I believe we can close this issue now as everything has either been tackled or there are more specific issues.
Unless there are any objections I'll do so in a few days.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cargo-cyclonedx Issues related to the Cargo SBOM generation application enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lfrancke @Shnatsel @jadamcrain @amy-keibler