12 releases (5 breaking)

0.8.4 Jul 13, 2023
0.8.3 Jul 10, 2023
0.7.2 Jul 10, 2023
0.6.0 Jul 10, 2023
0.3.1 Jul 4, 2023

#657 in Command line utilities

Download history 315/week @ 2024-01-28 236/week @ 2024-02-04 328/week @ 2024-02-11 284/week @ 2024-02-18 333/week @ 2024-02-25 390/week @ 2024-03-03 379/week @ 2024-03-10 291/week @ 2024-03-17 296/week @ 2024-03-24 352/week @ 2024-03-31 358/week @ 2024-04-07 399/week @ 2024-04-14 332/week @ 2024-04-21 220/week @ 2024-04-28 308/week @ 2024-05-05 356/week @ 2024-05-12

1,221 downloads per month

MIT license

889 lines

Workflow Status


This crate provides a command line tool to create software bill of materials (SBOM) for Cargo / Rust workspaces. It supports both SPDX and CycloneDX outputs.

The latest documentation can be found here.

SBOM or Software Bill of Materials is an industry standard term used to trace and maintain the supply chain security of software.


cargo-sbom may be installed via cargo

cargo install cargo-sbom

via cargo-binstall

cargo binstall cargo-sbom

or downloaded directly from Github Releases

# make sure to adjust the target and version (you may also want to pin to a specific version)
curl -sSL https://github.com/psastras/sbom-rs/releases/download/cargo-sbom-latest/cargo-sbom-x86_64-unknown-linux-gnu -o cargo-sbom


For most cases, simply cd into a cargo workspace and run cargo sbom.


Create software bill of materials (SBOM) for Rust

Usage: cargo sbom [OPTIONS]

      --cargo-package <CARGO_PACKAGE>
          The specific package (in a Cargo workspace) to generate an SBOM for. If not specified this is all packages in the workspace.
      --output-format <OUTPUT_FORMAT>
          The SBOM output format. [default: spdx_json_2_3] [possible values: spdx_json_2_3, cyclone_dx_json_1_4]
      --project-directory <PROJECT_DIRECTORY>
          The directory to the Cargo project. [default: .]
  -h, --help
          Print help
  -V, --version
          Print version


Create a SPDX SBOM for a Cargo project

In a shell:

$ cargo sbom
  "creationInfo": {
    "created": "2023-07-04T12:38:15.211Z",
    "creators": [
      "Tool: cargo-sbom-v0.8.4"
  "dataLicense": "CC0-1.0",
  "documentNamespace": "https://docs.rs/cargo_sbom/spdxdocs/cargo-sbom-0.8.4-9cae390a-4b46-457c-95b9-e59a5e62b57d",
  "files": [
  <rest of output omitted>

Create a CycloneDx SBOM in Github Actions

In a Github Actions workflow:

    runs-on: ubuntu-latest
    - uses: actions/checkout@v3
    - uses: psastras/sbom-rs/actions/install-cargo-sbom@cargo-sbom-latest
    - name: Run cargo-sbom
      run: cargo-sbom --output-format=cyclone_dx_json_1_4

Check Dependencies against the Open Source Vulnerability Database (OSV)

Assumming osv-scanner is installed (see https://osv.dev/)

$ cargo-sbom > sbom.spdx.json
$ osv-scanner --sbom=sbom.spdx.json
Scanned sbom.json as SPDX SBOM and found 91 packages
 OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE    │
 https://osv.dev/GHSA-wcg3-cvx6-7396 │ 6.2, │ crates.io │ time    │ 0.1.45  │ sbom.json │
 https://osv.dev/RUSTSEC-2020-0071   │ 6.2  │           │         │         │           │

More examples can be found by browsing the examples section.

Supported SBOM Features


SPDX Field Source
SPDXID Set to "SPDXRef-Document"
creationInfo.created Set as the current time
creationInfo.creators Set to "Tool: cargo-sbom-v(tool version)
dataLicense Set to "CC0-1.0"
documentNamespace set to "https://spdx.org/spdxdocs/(crate-name)-(uuidv4)"
files parsed from Cargo.toml target names
name Set to the project folder name
packages Set to dependencies parsed from cargo-metadata
packages.SPDXID Written as SPDXRef-Package-(crate name)-(crate version)
packages.description Read from Cargo.toml's "description" field
packages.downloadLocation Read from cargo metadata (usually "registry+https://github.com/rust-lang/crates.io-index")
packages.externalRefs If packages.downloadLocation is crates.io, written as a package url formatted string
packages.homepage Read from Cargo.toml's "homepage" field
packages.licenseConcluded Parsed into a SPDX compliant license identifier from Cargo.toml's "license" field
packages.licenseDeclared Read from Cargo.toml's "license" field
packages.name Read from Cargo.toml's "name" field
relationships Set to dependency relationships parsed from cargo-metadata
relationships.relationshipType Set to dependency relationship parsed from cargo-metadata
relationships.spdxElementId Set to dependency relationship source parsed from cargo-metadata
relationships.relatedSpdxElement Set to dependency relationship target parsed from cargo-metadata


CycloneDx Field Source
bomFormat Set to "CycloneDX"
serialNumber Set to "urn:uuid:(uuidv4)"
specVersion Set to 1.4
version Set to 1
metadata.component parsed from the root workspace
metadata.component.name Set to the root workspace folder name
metadata.component.type Set to "application"
metadata.component.components Set to each of the cargo workspace package components
components Set to the componennts parse from cargo-metadata
components.author Read from Cargo.toml's "authors" field
components.bom-ref Set to "CycloneDxRef-Component-(crate-name)-(crate-version)"
components.description Read from Cargo.toml's "description" field
copmonents.licenses Parsed into a SPDX compliant license identifier from Cargo.toml's "license" field
components.name Read from Cargo.toml's "name" field
components.purl If the download location is crates.io, written as a package url formatted string
components.type Read from cargo-metadata crate type
components.version Read from Cargo.toml's "version" field
dependencies Set to dependency relationships parsed from cargo-metadata
dependencies.ref Set to source dependency reference id string
dependencies.dependsOnn Set to target dependencies reference id strings

License: MIT


~152K SLoC