feat: implement RFC 3553 to add SBOM support #13709
Conversation
|
Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @ehuss (or someone else) some time within the next two weeks. Please see the contribution instructions for more information. Namely, in order to ensure the minimum review times lag, PR authors and assigned reviewers should ensure that the review label (
|
rustbot
added
A-build-execution
| /// Returns the list of SBOM output file paths for a given Unit. | ||
| /// | ||
| /// Only call this function when `sbom` is active. | ||
| pub fn sbom_output_files(&self, unit: &Unit) -> CargoResult<Vec<PathBuf>> { |
There was a problem hiding this comment.
I'm uncertain if this function should return a Vec or if a single PathBuf is actually sufficient.
There was a problem hiding this comment.
It might output several different crate-types, e.g. rlib, cdylib.
justahero
force-pushed
the
rfc3553/cargo-sbom-support
branch
from
74dafa0
to
190682e
Compare
|
Much respect for your contribution. From my kind reminders, it seems appropriate to modify the documentation of the corresponding sections, e.g. Configuration, Environment Variables. |
|
Thanks for the reminder, @heisen-li. Would love to see a doc update, though we should probably focus on the design discussion first, as the location of the configuration is not yet decided. (See rust-lang/rfcs#3553 (comment)). |
|
One approach for the docs (if this is looking to be merged) is to put the env and config documentation fragments in the Unstable docs. |
Similar to the generation of `depinfo` files, a function is called to generated SBOM precursor file named `output_sbom`. It takes the `BuildRunner` & the current `Unit`. The `sbom` flag can be specified as a cargo build option, but it's currently not configured correctly. To test the generation the flag is set to `true`. This passes in the cargo build config `sbom`.
This ignores dependencies for custom build scripts. The output should be similar to what `cargo tree` reports.
This is similar to what the `cargo metadata` command outputs.
This extracts the logic to get the list of SBOM output file paths into its own function in `BuildRunner` for a given Unit.
* extract sbom config into helper function
Still needs to check output.
justahero
force-pushed
the
rfc3553/cargo-sbom-support
branch
from
190682e
to
ae0881c
Compare
| base.arg("-Z").arg("binary-dep-depinfo"); | ||
| } | ||
|
|
||
| if is_primary { | ||
| base.env("CARGO_PRIMARY_PACKAGE", "1"); | ||
|
|
||
| if gctx.cli_unstable().sbom && build_runner.bcx.build_config.sbom { |
There was a problem hiding this comment.
IMO, paths are better to be joined using semi-colons, maybe via std::env::join_paths, to maximize the compatibility.
| /// Returns the list of SBOM output file paths for a given Unit. | ||
| /// | ||
| /// Only call this function when `sbom` is active. | ||
| pub fn sbom_output_files(&self, unit: &Unit) -> CargoResult<Vec<PathBuf>> { |
There was a problem hiding this comment.
It might output several different crate-types, e.g. rlib, cdylib.
| .iter() | ||
| .filter(|o| matches!(o.flavor, FileFlavor::Normal | FileFlavor::Linkable)) | ||
| .filter_map(|output_file| output_file.hardlink.as_ref()) | ||
| .map(|link_dst| link_dst.with_extension("cargo-sbom.json")) |
There was a problem hiding this comment.
Do we want to handle name collisions here? For example dylibs might collide with each their as their name have no -<hash> suffix.
See #6313 for some details.
| //! cargo-sbom precursor files for external tools to create SBOM files from. | ||
| //! See [`output_sbom`] for more. | ||
|
|
||
| use std::{ |
There was a problem hiding this comment.
nit: in Cargo we don't do nested multi-line import, though this is not enforced :)
| assert!(p.bin("foo").with_extension("cargo-sbom.json").is_file()); | ||
| assert_eq!( | ||
| 1, | ||
| p.glob(p.target_debug_dir().join("libfoo.cargo-sbom.json")) |
There was a problem hiding this comment.
I guess we might need to deal with different naming convention on different platform. (Windows specifically?)
| build = "build.rs" | ||
|
|
||
| [build-dependencies] | ||
| cc = "1.0.46" |
There was a problem hiding this comment.
Should avoid introducing external crates.io dependency. Use something like
Package::new("baz", "0.0.1").publish();
There was a problem hiding this comment.
I would like to see some UI test for the JSON output. It's easier to check what's inside the SBOM file.
| @@ -102,6 +104,16 @@ impl BuildConfig { | |||
| anyhow::bail!("-Zbuild-std requires --target"); | |||
| } | |||
|
|
|||
| // If sbom flag is set, it requires the unstable feature | |||
| let sbom = match gctx.get_env_os("CARGO_BUILD_SBOM") { | |||
There was a problem hiding this comment.
This was mentioned in office hours. Just wrote it down for reference. GlobalContext::get_bool could cover both env and config.
| if sbom && !gctx.cli_unstable().sbom { | ||
| anyhow::bail!("Cargo build config 'sbom' is unstable; pass `-Zsbom` to enable it"); | ||
| } |
There was a problem hiding this comment.
maybe a soft error (warning) is more friendly and won't block people using the same config from different toolchain. Something like
cargo/src/cargo/core/workspace.rs
Lines 325 to 327 in 8733d5a
(And provide a link to that unstable documentation when we have one)
| let sbom = Sbom::new(unit, packages.clone(), rustc.clone()); | ||
|
|
||
| let mut outfile = BufWriter::new(paths::create(sbom_output_file)?); | ||
| let output = serde_json::to_string_pretty(&sbom)?; |
There was a problem hiding this comment.
Perhaps pretty not important at this moment. Just wonder how big the size of the output sbom would be, and at some point we might want to use serde_json::to_writer_pretty instead.
What does this PR try to resolve?
This PR is an implementation of RFC 3553 to add support to generate pre-cursor SBOM files for compiled artifacts in Cargo.
How should we test and review this PR?
The RFC 3553 adds a new option to Cargo to emit SBOM pre-cursor files. A project can be configured either by the new Cargo config field
sbom.or using the environment variable
CARGO_BUILD_SBOM=true. Thesbomoption is an unstable feature and requires the-Zsbomflag to enable it.Check out this branch & compile Cargo. Pick a Cargo project to test it on, then run:
All generated
*.cargo-sbom.jsonfiles are located in thetargetfolder alongside their artifacts. To list all generated files use:then check their content. To see the current output format, see these examples.
Additional information
There are a few things that I would like to get feedback on, in particular the generated JSON format is not final. Currently it holds the information listed in the RFC 3553, but it could be further enriched with information only available during builds.
During the implementation a number of questions arose.
UnitGraphthe right structure to determine all dependencies?compilemethod to generate the SBOM files appropriate?testsuite, are useful tests missing?Thanks @arlosi, @RobJellinghaus and @lfrancke for initial guidance & feedback.
serde_json&axum-corecrates)