Enhancement: Use SBOM generated by Cargo

[SDAChess]

Hello,

With the merge of the Cargo SBOM into Cargo Nightly (rust-lang/cargo@7ea222d), it would be a valuable addition to the cargo-auditable code to ingest the dependencies from the generated SBOM.

It would probably solve a lot of common issues related to cargo metadata command.

I think cargo-auditable is still very relevant in generating the SBOMs from tools like syft when using containers that have their own dependencies and would love to see this work in cargo-auditable.

let me know if there is anything I could do to help this effort, if you need help with contributions especially.

[bjorn3]

I think the Cargo SBOM is produced after compiling a crate, while cargo-auditable needs to know it before compiling the crate to be able to inject an object file with the sbom when linking.

[Shnatsel]

Yes, this is absolutely on my radar, both for cargo-auditable and cargo-cyclonedx. It would indeed work around all the issues with cargo-metadata.

I am currently seeking funding to be able to work full-time on cargo-auditable and cargo-cyclonedx for a while, specifically to implement this. But I'd be happy to accept a pull request that implements this as well.

[Shnatsel]

Regarding the time when the SBOM is written:

I specifically called out in the RFC for this functionality that the SBOM has to be written before the crate is actually compiled to be usable to cargo-auditable. I've checked just now, and the SBOM does seem to be generated before the crate is compiled.

Here's a quick Linux-only test to prove that the native SBOM is usable for cargo-auditable:

Name this wrapper.sh and put it in your home directory:

#!/bin/sh

env > "$HOME"/env.dump
cp "$CARGO_SBOM_PATH" "$HOME"
"$@"

And run this on your Cargo project: cargo clean; RUSTC_WORKSPACE_WRAPPER="$HOME"/wrapper.sh CARGO_BUILD_SBOM=true cargo +nightly build -Z sbom

If it all worked, you will see env.dump and a SBOM JSON file in your home directory.

The script ignores multi-target crates for simplicity, so best run this on a "hello world".

[SDAChess]

I am currently seeking funding to be able to work full-time on cargo-auditable and cargo-cyclonedx for a while, specifically to implement this. But I'd be happy to accept a pull request that implements this as well.

Will ask around if funding is available for such a project from our company.

I specifically called out in the rust-lang/rfcs#3553 that the SBOM has to be written before the crate is actually compiled to be usable to cargo-auditable. I've checked just now, and the SBOM does seem to be generated before the crate is compiled.

Good to know! Will try and see if that works

[Shnatsel]

That might not be needed, if we're lucky. I've already found an entity that is quite enthusiastic about funding this work. We'll see if it converts into actual funding. Once it's clear if this works out or falls through, I'll let you know.

[arlosi]

Please let me know if there are issues using Cargo's SBOM support in cargo-auditable.

Having more projects (especially OSS projects) using the feature gets us closer to stabilization in Cargo.