Lib.rs

Development toolsCargo pluginscyclonedx-bom
#sbom #bom #component #dependencies #owasp #cargo-toml

bin+lib cargo-cyclonedx

CycloneDX Software Bill of Materials (SBOM) for Rust Crates

by Amy Keibler, Steve Springett, Lars Francke, Sergey "Shnatsel" Davidoff and 18 contributors. Co-owned by cdx-automation.

12 releases

0.5.0 Mar 1, 2024
0.4.1 Nov 23, 2023
0.3.8 Jun 28, 2023
0.3.7 Sep 15, 2022
0.3.1 Dec 9, 2021

#156 in Cargo plugins

Download history 75/week @ 2024-01-22 195/week @ 2024-01-29 419/week @ 2024-02-05 266/week @ 2024-02-12 410/week @ 2024-02-19 714/week @ 2024-02-26 455/week @ 2024-03-04 639/week @ 2024-03-11 427/week @ 2024-03-18 317/week @ 2024-03-25 216/week @ 2024-04-01 339/week @ 2024-04-08 370/week @ 2024-04-15 635/week @ 2024-04-22 696/week @ 2024-04-29 640/week @ 2024-05-06

2,357 downloads per month

Apache-2.0

1MB
25K SLoC

Build Status Crates.io License Website Slack Invite Group Discussion Twitter

cargo-cyclonedx

This CycloneDX plugin for cargo creates a custom cargo subcommand that generates a Software Bill of Materials (SBOM) file that describes the cargo project.

CycloneDX is a lightweight SBOM specification that is easily created, human and machine-readable, and simple to parse.

Usage

Installing

cargo install cargo-cyclonedx

Executing from cargo

cargo cyclonedx

This produces a bom.xml file adjacent to every Cargo.toml file that exists in the workspace.

Command-line options

      --manifest-path <PATH>
          Path to Cargo.toml

  -f, --format <FORMAT>
          Output BOM format: json, xml

      --describe <DESCRIBE>
          Possible values:
          - crate:             Describe the entire crate in a single SBOM file, with Cargo targets as subcomponents. (default)
          - binaries:          A separate SBOM is emitted for each binary (bin, cdylib) while all other targets are ignored
          - all-cargo-targets: A separate SBOM is emitted for each Cargo target, including things that aren't directly executable (e.g rlib)

  -v, --verbose...
          Use verbose output (-vv for debug logging, -vvv for tracing)

  -q, --quiet...
          Disable progress reports (-qq to suppress warnings)

      --all-features
          Activate all available features

      --no-default-features
          Do not activate the `default` feature

  -F, --features <FEATURES>
          Space or comma separated list of features to activate

      --target <TARGET>
          The target to generate the SBOM for, e.g. 'x86_64-unknown-linux-gnu'.
          Use 'all' to include dependencies for all possible targets.
          Defaults to the host target, as printed by 'rustc -vV'

      --target-in-filename
          Include the target platform of the BOM in the filename

  -a, --all
          List all dependencies instead of only top-level ones (default)

      --top-level
          List only top-level dependencies

      --override-filename <FILENAME>
          Custom string to use for the output filename

      --license-strict
          Reject the deprecated '/' separator for licenses, treating 'MIT/Apache-2.0' as an error

      --license-accept-named <LICENSE_ACCEPT_NAMED>
          Add license names which will not be warned about when parsing them as a SPDX expression fails

      --spec-version <SPEC_VERSION>
          The CycloneDX specification version to output: `1.3` or `1.4`. Defaults to 1.3

  -h, --help
          Print help (see a summary with '-h')

  -V, --version
          Print version

Contributing

See CONTRIBUTING for details.

Copyright & License

CycloneDX Rust Cargo is Copyright (c) OWASP Foundation. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.

Dependencies

~13MB
~250K SLoC