Is the Rust/Cargo support ready for use? #126
Labels
z-aa-triaged
(Deprecated label) This issue has been triaged by AA
z-external
(Deprecated label) The bug is dependent on an external service
Hi!
I would like to ask for help to understand how the
sbom-tool
works for Rust code. We in the Kubewarden team are evaluating to usesbom-tool
to generate the SPDX file for the Rust component of the Kubewarden stack. But we are seeing some results that seems to be incomplete. When we run thesbom-tool
in the Policy Server repository, the tool generate the SPDX file with all the files under the build directory. Which does not seem a problem, but it misses all the dependencies defined in theCargo.toml
file. In other words, the SPDX file does not have the relationships between the packages define in the cargo file. Is this expected ? Is the cargo/Rust support production ready?This is an example of the command that I use to create the file:
Let's check some info in the SPDX file:
None of the dependencies defined in the
Cargo.toml
are defined in the SPDX file. Am I missing something?The text was updated successfully, but these errors were encountered: