feat: add cargo-cyclonedx as native Rust SBOM generator#102
feat: add cargo-cyclonedx as native Rust SBOM generator#102vpetersson merged 7 commits intomasterfrom
Conversation
Add cargo-cyclonedx v0.5.7 as the authoritative generator for Rust/Cargo projects, giving Rust first-class support alongside Python's cyclonedx-py. Dockerfile: - Add rust-builder stage that downloads pre-built binary for amd64 and compiles from source for arm64 (no arm64 binary available) - Add CARGO_CYCLONEDX_VERSION to centralized tool versions Generator: - Create CycloneDXCargoGenerator with priority 10 (native) - Support Cargo.lock files with CycloneDX 1.4, 1.5, 1.6 output - Register in default generator registry Additional packages: - Update generate_additional_packages.sh to emit cargo-cyclonedx PURL Tests: - Add 20 tests covering generator properties, support checking, version validation, command-line args, and registry priority
There was a problem hiding this comment.
Pull request overview
This PR adds native Rust SBOM generation support via cargo-cyclonedx v0.5.7, establishing Rust as a first-class ecosystem alongside Python. The implementation includes Docker image updates for binary installation/compilation, a new CycloneDXCargoGenerator plugin with priority 10 (native), and comprehensive test coverage.
Changes:
- Added cargo-cyclonedx as the authoritative generator for Rust/Cargo projects with native priority
- Integrated cargo-cyclonedx into Docker build pipeline (pre-built binary for amd64, source compilation for arm64)
- Created comprehensive test suite with 20 tests covering generator functionality and registry priority
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| Dockerfile | Added rust-builder stage to install cargo-cyclonedx v0.5.7 with platform-specific handling |
| sbomify_action/_generation/protocol.py | Defined cargo-cyclonedx version constants (1.4-1.6, default 1.6) |
| sbomify_action/_generation/generators/cyclonedx_cargo.py | Implemented CycloneDXCargoGenerator plugin for Cargo.lock files |
| sbomify_action/_generation/generators/init.py | Exported CycloneDXCargoGenerator in public API |
| sbomify_action/_generation/generator.py | Registered CycloneDXCargoGenerator in default registry |
| scripts/generate_additional_packages.sh | Added PURL emission for cargo-cyclonedx package |
| tests/test_cyclonedx_cargo_generator.py | Added comprehensive test suite covering generator behavior and priority |
| README.md | Updated documentation to reflect cargo-cyclonedx as native Rust generator |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 16 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…bility - Rename 'input' to 'gen_input' in test_cyclonedx_cargo_generator.py to avoid shadowing Python's built-in input() function (16 instances) - Add mocks for _TRIVY_AVAILABLE and _CDXGEN_AVAILABLE in test_registry_order_for_cargo_lock to ensure test passes regardless of which tools are installed in CI environment
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
1 participant
Add cargo-cyclonedx v0.5.7 as the authoritative generator for Rust/Cargo
projects, giving Rust first-class support alongside Python's cyclonedx-py.
Dockerfile:
and compiles from source for arm64 (no arm64 binary available)
Generator:
Additional packages:
Tests:
version validation, command-line args, and registry priority