The CycloneDX module for Rust (Cargo) creates a valid CycloneDX Software Bill of Materials (SBOM) containing an aggregate of all project dependencies. OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard providing advanced supply chain capabilities for cyber risk reduction.
This repository contains two separate projects:
cyclonedx-bomis a Rust library to read and write CycloneDX SBOMs to and from Rust structs.cargo-cyclonedxis a Rust application, which generates CycloneDX SBOMs for Cargo based Rust projects (it usescyclonedx-bomfor that purpose).
Execute cargo-cyclonedx from within a Rust project directory containing Cargo.toml.
cargo install cargo-cyclonedx~/.cargo/bin/cargo-cyclonedx cyclonedxcargo cyclonedxcargo-cyclonedx calls into Cargo internally to get information about a Rust project. Like nearly any other build system,
Cargo may run arbitrary code
when invoked on an untrusted project, so cargo-cyclonedx should not be called on untrusted projects either.
Some of the other tools for generating CycloneDX SBOMs do not invoke Cargo and only parse the Cargo.lock file.
However, the only way to generate the Cargo.lock file for them to scan is to invoke Cargo, so this issue is currently unavoidable for any tool that describes a Cargo project.
Contributions are welcome.
See our CONTRIBUTING.md for details.
We are running a Bug Bounty program financed by the Bug Resilience Program of the Sovereign Tech Fund. Thank you very much!
CycloneDX Rust Cargo is Copyright (c) OWASP Foundation. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
![@github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=64&v=4){kind=small}
