New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: implement RFC 3553 to add SBOM support #13709
base: master
Are you sure you want to change the base?
Conversation
Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @ehuss (or someone else) some time within the next two weeks. Please see the contribution instructions for more information. Namely, in order to ensure the minimum review times lag, PR authors and assigned reviewers should ensure that the review label (
|
/// Returns the list of SBOM output file paths for a given Unit. | ||
/// | ||
/// Only call this function when `sbom` is active. | ||
pub fn sbom_output_files(&self, unit: &Unit) -> CargoResult<Vec<PathBuf>> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm uncertain if this function should return a Vec
or if a single PathBuf
is actually sufficient.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might output several different crate-types, e.g. rlib
, cdylib
.
74dafa0
to
190682e
Compare
Much respect for your contribution. From my kind reminders, it seems appropriate to modify the documentation of the corresponding sections, e.g. Configuration, Environment Variables. |
Thanks for the reminder, @heisen-li. Would love to see a doc update, though we should probably focus on the design discussion first, as the location of the configuration is not yet decided. (See rust-lang/rfcs#3553 (comment)). |
One approach for the docs (if this is looking to be merged) is to put the env and config documentation fragments in the Unstable docs. |
Similar to the generation of `depinfo` files, a function is called to generated SBOM precursor file named `output_sbom`. It takes the `BuildRunner` & the current `Unit`. The `sbom` flag can be specified as a cargo build option, but it's currently not configured correctly. To test the generation the flag is set to `true`. This passes in the cargo build config `sbom`.
This ignores dependencies for custom build scripts. The output should be similar to what `cargo tree` reports.
This is similar to what the `cargo metadata` command outputs.
This extracts the logic to get the list of SBOM output file paths into its own function in `BuildRunner` for a given Unit.
* extract sbom config into helper function
Still needs to check output.
190682e
to
ae0881c
Compare
base.arg("-Z").arg("binary-dep-depinfo"); | ||
} | ||
|
||
if is_primary { | ||
base.env("CARGO_PRIMARY_PACKAGE", "1"); | ||
|
||
if gctx.cli_unstable().sbom && build_runner.bcx.build_config.sbom { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO, paths are better to be joined using semi-colons, maybe via std::env::join_paths
, to maximize the compatibility.
/// Returns the list of SBOM output file paths for a given Unit. | ||
/// | ||
/// Only call this function when `sbom` is active. | ||
pub fn sbom_output_files(&self, unit: &Unit) -> CargoResult<Vec<PathBuf>> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might output several different crate-types, e.g. rlib
, cdylib
.
.iter() | ||
.filter(|o| matches!(o.flavor, FileFlavor::Normal | FileFlavor::Linkable)) | ||
.filter_map(|output_file| output_file.hardlink.as_ref()) | ||
.map(|link_dst| link_dst.with_extension("cargo-sbom.json")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to handle name collisions here? For example dylibs might collide with each their as their name have no -<hash>
suffix.
See #6313 for some details.
//! cargo-sbom precursor files for external tools to create SBOM files from. | ||
//! See [`output_sbom`] for more. | ||
|
||
use std::{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: in Cargo we don't do nested multi-line import, though this is not enforced :)
assert!(p.bin("foo").with_extension("cargo-sbom.json").is_file()); | ||
assert_eq!( | ||
1, | ||
p.glob(p.target_debug_dir().join("libfoo.cargo-sbom.json")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess we might need to deal with different naming convention on different platform. (Windows specifically?)
build = "build.rs" | ||
|
||
[build-dependencies] | ||
cc = "1.0.46" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should avoid introducing external crates.io dependency. Use something like
Package::new("baz", "0.0.1").publish();
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would like to see some UI test for the JSON output. It's easier to check what's inside the SBOM file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just note that I reviewed this as-is, didn't really think too much for the design itself. Thank you for working on this!
@@ -102,6 +104,16 @@ impl BuildConfig { | |||
anyhow::bail!("-Zbuild-std requires --target"); | |||
} | |||
|
|||
// If sbom flag is set, it requires the unstable feature | |||
let sbom = match gctx.get_env_os("CARGO_BUILD_SBOM") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was mentioned in office hours. Just wrote it down for reference. GlobalContext::get_bool could cover both env and config.
if sbom && !gctx.cli_unstable().sbom { | ||
anyhow::bail!("Cargo build config 'sbom' is unstable; pass `-Zsbom` to enable it"); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe a soft error (warning) is more friendly and won't block people using the same config from different toolchain. Something like
cargo/src/cargo/core/workspace.rs
Lines 325 to 327 in 8733d5a
self.gctx() | |
.shell() | |
.warn("ignoring `resolver` config table without `-Zmsrv-policy`")?; |
(And provide a link to that unstable documentation when we have one)
let sbom = Sbom::new(unit, packages.clone(), rustc.clone()); | ||
|
||
let mut outfile = BufWriter::new(paths::create(sbom_output_file)?); | ||
let output = serde_json::to_string_pretty(&sbom)?; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps pretty not important at this moment. Just wonder how big the size of the output sbom would be, and at some point we might want to use serde_json::to_writer_pretty
instead.
What does this PR try to resolve?
This PR is an implementation of RFC 3553 to add support to generate pre-cursor SBOM files for compiled artifacts in Cargo.
How should we test and review this PR?
The RFC 3553 adds a new option to Cargo to emit SBOM pre-cursor files. A project can be configured either by the new Cargo config field
sbom
.or using the environment variable
CARGO_BUILD_SBOM=true
. Thesbom
option is an unstable feature and requires the-Zsbom
flag to enable it.Check out this branch & compile Cargo. Pick a Cargo project to test it on, then run:
All generated
*.cargo-sbom.json
files are located in thetarget
folder alongside their artifacts. To list all generated files use:then check their content. To see the current output format, see these examples.
Additional information
There are a few things that I would like to get feedback on, in particular the generated JSON format is not final. Currently it holds the information listed in the RFC 3553, but it could be further enriched with information only available during builds.
During the implementation a number of questions arose.
UnitGraph
the right structure to determine all dependencies?compile
method to generate the SBOM files appropriate?testsuite
, are useful tests missing?Thanks @arlosi, @RobJellinghaus and @lfrancke for initial guidance & feedback.
serde_json
&axum-core
crates)