Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Record package hashes in the generated SBOM #620

Merged
merged 9 commits into from Feb 25, 2024
Merged

Record package hashes in the generated SBOM #620

merged 9 commits into from Feb 25, 2024

Conversation

Shnatsel
Copy link
Contributor

@Shnatsel Shnatsel commented Feb 18, 2024
edited

Requires Rust 1.77 or later because it relies on rust-lang/cargo#12914

Older Rust versions behave as before, i.e. the hashes are not recorded.

Builds on #619 because I didn't want to create editing conflicts with myself. I can rebase it if it doesn't go in.

@Shnatsel
Minor refactoring in preparation for adding hash data
1e47d86 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Add a function to locate the Cargo.lock given the path to Cargo.toml
999c606 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Actually use the newly added function
12858b2 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Add cargo-lock crate as a dependency
303d5a9 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Add a conversion from Cargo.lock to a HashMap of PackageId to Checksum
c60b728 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Implement conversion from cargo-lock hash format to cyclonedx-bom has…
56ac349 
…h format and wire up emitting the data to the final SBOM

Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Add a comment
d1c9222 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Proper error handling
9ee9c10 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel Shnatsel marked this pull request as ready for review February 18, 2024 01:02
@Shnatsel Shnatsel requested a review from a team as a code owner February 18, 2024 01:02
lfrancke
lfrancke approved these changes Feb 25, 2024
View reviewed changes
Copy link
Contributor

@lfrancke lfrancke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I looked at the code changes and those look good.
I only have 1.76 installed and train wifi won't allow me to download a newer version.
I'm happy to merge as is but if you prefer I can also test it next week.

@Shnatsel
Copy link
Contributor Author

In my testing it works, so I'm going to go ahead and merge it.

There is an edge case: if the registry URL contains parameters, the hash may not be recorded. That's because Cargo.lock does not encode parameters correctly right now (and what cargo metadata and cargo pkgid do is anyone's guess), but we'll get to that once the v4 Cargo.lock format which fixes it gets actually rolled out.

@Shnatsel Shnatsel merged commit a9ff97d into CycloneDX:main Feb 25, 2024
9 checks passed
@Shnatsel Shnatsel mentioned this pull request Feb 25, 2024
Closed
@Shnatsel
Copy link
Contributor Author

I filed an issue about that so that it's tracked: #629

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lfrancke lfrancke lfrancke approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Shnatsel @lfrancke