Is the Rust/Cargo support ready for use?

[jvanz]

Hi!

I would like to ask for help to understand how the sbom-tool works for Rust code. We in the Kubewarden team are evaluating to use sbom-tool to generate the SPDX file for the Rust component of the Kubewarden stack. But we are seeing some results that seems to be incomplete. When we run the sbom-tool in the Policy Server repository, the tool generate the SPDX file with all the files under the build directory. Which does not seem a problem, but it misses all the dependencies defined in the Cargo.toml file. In other words, the SPDX file does not have the relationships between the packages define in the cargo file. Is this expected ? Is the cargo/Rust support production ready?

This is an example of the command that I use to create the file:

$ sbom-tool generate -b ./target -bc . -pn kubewarden -pv 1.0.0 -nsb https://kubewarden.io -V Verbose -ps Kubewarden

Let's check some info in the SPDX file:

$ jq ".packages[] | .name" _manifest/spdx_2.2/manifest.spdx.json
"winapi-x86_64-pc-windows-gnu"
"instant"
"cfg-if"
"remove_dir_all"
"tempfile"
"winapi"
"bitflags"
"redox_syscall"
"fastrand"
"libc"
"winapi-i686-pc-windows-gnu"
"policy-server"

$ jq ".packages | length " _manifest/spdx_2.2/manifest.spdx.json
12

$ jq ".relationships | length " _manifest/spdx_2.2/manifest.spdx.json
12

$ jq -r ".relationships[] | .relatedSpdxElement" _manifest/spdx_2.2/manifest.spdx.json >> out; jq -r ".packages[] | .SPDXID" _manifest/spdx_2.2/manifest.spdx.json >> out

$cat out | sort -u
SPDXRef-Package-09E888C0DD94AE60E61C26BDCB42496CCE2C353B04EDC32010BAE39CD9C281D0
SPDXRef-Package-103DDECE1CB10C10E2689F436AB7787B75BC4D108C139C4A187F13A49F631E8A
SPDXRef-Package-189578355B371E85A4B08774D0CFD32BD36B61165FA6BBEDA3B80BE76024EA8D
SPDXRef-Package-23A31416C710E2C36870C6DA198442A1B9E87AA1DEE5C764218A5ADA6ACAB955
SPDXRef-Package-2C0BE3A4473BFBE36158A982CB7D03CB69186272843FCC7EED4A98767B0B0484
SPDXRef-Package-3A6F59C021FD50CA792745B5BA96467074206C03916D0BCFC926087D1D49F587
SPDXRef-Package-860B0BD399A74F569916FC6D2B12313E84843DAD430BC3A7AF88A11F42210381
SPDXRef-Package-8D53CF339C6C5356F4655FAB5ED74736CCEAA7FE34FFF98F2C6F3DF3F627A96E
SPDXRef-Package-9D986058A09E0CC43BCCF23FE973D1CEB4F7AFC28E67A6FA8D2453F4264AA058
SPDXRef-Package-CD84440B5868C5522882D227E2DA16FEF386CAF7BAE037A976DE512D23092501
SPDXRef-Package-EE5CCD784D9C04F2C86943E03620B4A4D9A902C21981F66C64F63115130F6439
SPDXRef-RootPackage

$ cat out | sort -u | wc -l
12

None of the dependencies defined in the Cargo.toml are defined in the SPDX file. Am I missing something?

[ByAgenT]

Hi @jvanz. This looks like an issue with the underlying Rust detector we use in sbom-tool. I've created an issue microsoft/component-detection#253 against the component-detection team, thanks for reporting that.