11 releases

0.4.1 Nov 23, 2023
0.4.0 Nov 13, 2023
0.3.8 Jun 28, 2023
0.3.7 Sep 15, 2022
0.3.1 Dec 9, 2021

#69 in Cargo plugins

Download history 107/week @ 2023-08-16 112/week @ 2023-08-23 85/week @ 2023-08-30 88/week @ 2023-09-06 50/week @ 2023-09-13 114/week @ 2023-09-20 90/week @ 2023-09-27 124/week @ 2023-10-04 145/week @ 2023-10-11 129/week @ 2023-10-18 164/week @ 2023-10-25 136/week @ 2023-11-01 222/week @ 2023-11-08 141/week @ 2023-11-15 216/week @ 2023-11-22 200/week @ 2023-11-29

805 downloads per month

Apache-2.0

605KB
14K SLoC

Build Status Crates.io License Website Slack Invite Group Discussion Twitter

cargo-cyclonedx

The CycloneDX plugin for cargo creates a custom cargo subcommand that generates a Software Bill-of-Materials (SBOM) file that describes the cargo project.

CycloneDX is a lightweight SBOM specification that is easily created, human and machine readable, and simple to parse.

Usage

Installing

cargo install cargo-cyclonedx

Executing from cargo

cargo cyclonedx

This produces a bom.xml file adjacent to every Cargo.toml file that exists in the workspace.

Command-line options

      --manifest-path <PATH>
          Path to Cargo.toml

  -f, --format <FORMAT>
          Output BOM format: json, xml

  -v, --verbose...
          Use verbose output (-vv very verbose/build.rs output)

  -q, --quiet
          No output printed to stdout

      --all-features
          Activate all available features

      --no-default-features
          Do not activate the `default` feature

  -F, --features <FEATURES>
          Space or comma separated list of features to activate

      --target <TARGET>
          The target to generate the SBOM for, e.g. 'x86_64-unknown-linux-gnu'.
          Use 'all' to include dependencies for all possible targets.
          Defaults to the host target, as printed by 'rustc -vV'

      --target-in-filename
          Include the target platform of the BOM in the filename. Implies --output-cdx

  -a, --all
          List all dependencies instead of only top-level ones (default)

      --top-level
          List only top-level dependencies

      --output-cdx
          Prepend file extension with .cdx

      --output-pattern <PATTERN>
          Prefix patterns to use for the filename: bom, package

      --output-prefix <FILENAME_PREFIX>
          Custom prefix string to use for the filename

      --license-strict
          Reject the deprecated '/' separator for licenses, treating 'MIT/Apache-2.0' as an error

      --license-accept-named <LICENSE_ACCEPT_NAMED>
          Add license names which will not be warned about when parsing them as a SPDX expression fails

  -h, --help
          Print help (see a summary with '-h')

  -V, --version
          Print version

CycloneDX Rust Cargo is Copyright (c) OWASP Foundation. All Rights Reserved.

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.

Dependencies

~13MB
~245K SLoC