Add ability to specify output path when using as library.

[kurasaiteja]

When using cargo-cyclonedx as a library dependency, we're finding that we can't control the location where SBOM files are written. Currently, write_to_files() always writes relative to the manifest path.

Our use case is integrating cargo-cyclonedx where we need to:

• Write SBOMs to specific directories. (like build/sbom/)
• Control output locations programmatically

It would be helpful if there was a way to specify the output directory, either through:

• Additional configuration in SbomConfig
• Exposing the write_to_file method as a public API could provide the flexibility we need. It would allow us to specify exact file paths for SBOM output, giving us full control over where files are written.

Note: This is related to #775 but focuses on library usage rather than CLI functionality.

[Shnatsel]

It's not hard to stick a pub on write_to_file, but the use of cargo-cyclonedx as a library was never intended. Right now we may break the API in a patch release, since it is assumed to be internal only. The only way to get it not to randomly fail to build on your end is to pin the exact version of cargo-cyclonedx.

[Shnatsel]

Could you tell me more about your use of cargo-cyclonedx as a library? What are the requirements and what are you trying to accomplish?

We might be able to modularize the code and expose stable APIs for some of the functionality, but I need to understand the requirements and use cases before I embark on that project.

[kurasaiteja]

We are currently using cargo-cyclonedx as a library to create SBOM files for cargo packages and workspaces. Instead of using as a binary, we wanted to make generating SBOMs a part of our default build process.

1. Using it as a binary would bloat our build system as this needs to be shipped along with our build system.
2. We wanted to have granular control over creation of SBOM. like currently the command does not support customising output paths, but we want to have it in a particular place that would make life easier for other processes depending on it in our build fleet. Hence we requested to expose the particular write_to_file method

[vonjackets]

Has there been any movement on this lately? We're trying to do something similar to @kurasaiteja , storing SBOMs as versioned artifacts for parsing.

[Shnatsel]

There hasn't. This particular change seems straightforward enough, so you could just open a PR and I'll go ahead and merge it.

Note that the library API of cargo-cyclonedx is unstable, even though it haven't been changing a whole lot in practice. So you need to pin an exact version of cargo-cyclonedx in your Cargo.toml.