feat: implement RFC 3553 to add SBOM support #13709
Conversation
|
Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @ehuss (or someone else) some time within the next two weeks. Please see the contribution instructions for more information. Namely, in order to ensure the minimum review times lag, PR authors and assigned reviewers should ensure that the review label (
|
rustbot
added
A-build-execution
justahero
force-pushed
the
rfc3553/cargo-sbom-support
branch
from
74dafa0
to
190682e
Compare
|
Much respect for your contribution. From my kind reminders, it seems appropriate to modify the documentation of the corresponding sections, e.g. Configuration, Environment Variables. |
|
Thanks for the reminder, @heisen-li. Would love to see a doc update, though we should probably focus on the design discussion first, as the location of the configuration is not yet decided. (See rust-lang/rfcs#3553 (comment)). |
|
One approach for the docs (if this is looking to be merged) is to put the env and config documentation fragments in the Unstable docs. |
justahero
force-pushed
the
rfc3553/cargo-sbom-support
branch
from
190682e
to
ae0881c
Compare
| .iter() | ||
| .filter(|o| matches!(o.flavor, FileFlavor::Normal | FileFlavor::Linkable)) | ||
| .filter_map(|output_file| output_file.hardlink.as_ref()) | ||
| .map(|link_dst| link_dst.with_extension("cargo-sbom.json")) |
There was a problem hiding this comment.
Do we want to handle name collisions here? For example dylibs might collide with each their as their name have no -<hash> suffix.
See #6313 for some details.
There was a problem hiding this comment.
Tbh, I'm not sure how to solve this.
There was a problem hiding this comment.
This is already a problem for debug info, e.g. .pdb files on Windows. They have to be attributable to the file they correspond to, so they have the same name and cause a name collision. Cargo currently prints a warning about it, but otherwise just lets the collision happen and one of the debug info files is lost. However, losing SBOM info is highly undesirable.
We are not constrained by having the exact same name for the SBOM (unlike for debug info where we don't control the way it is discoverd), so we could do something about this.
I think we should emit all SBOM files in case of a collision, with a predictable naming scheme such as adding a number to the extension - foo.sbom, then foo.1.sbom and so on. The SBOM file will then contain the name of the binary it corresponds to, so that it can be disambiguated.
There was a problem hiding this comment.
I think we should emit all SBOM files in case of a collision, with a predictable naming scheme such as adding a number to the extension - foo.sbom, then foo.1.sbom and so on. The SBOM file will then contain the name of the binary it corresponds to, so that it can be disambiguated.
This is a good idea. As an experimental feature we could have this temporarily. And We need to make sure this must be resolved before stabilization at least.
There was a problem hiding this comment.
Should we append the .cargo-sbom.json extension rather than change the extension? That way if the SBOM file has a name collision, then the binary would also have a name collision. The name collision problem still needs to be solved, but I don't think we should solve it only for the sbom file.
tests/testsuite/sbom.rs
Outdated
| assert!(p.bin("foo").with_extension("cargo-sbom.json").is_file()); | ||
| assert_eq!( | ||
| 1, | ||
| p.glob(p.target_debug_dir().join("libfoo.cargo-sbom.json")) |
There was a problem hiding this comment.
I guess we might need to deal with different naming convention on different platform. (Windows specifically?)
There was a problem hiding this comment.
Maybe the glob call can be simplified in a way that it works for all platforms.
|
☔ The latest upstream changes (presumably #13571) made this pull request unmergeable. Please resolve the merge conflicts. |
justahero
force-pushed
the
rfc3553/cargo-sbom-support
branch
4 times, most recently
from
1cfd71a
to
376fe1e
Compare
Similar to the generation of `depinfo` files, a function is called to generated SBOM precursor file named `output_sbom`. It takes the `BuildRunner` & the current `Unit`. The `sbom` flag can be specified as a cargo build option, but it's currently not configured correctly. To test the generation the flag is set to `true`. This passes in the cargo build config `sbom`.
This ignores dependencies for custom build scripts. The output should be similar to what `cargo tree` reports.
This is similar to what the `cargo metadata` command outputs.
This extracts the logic to get the list of SBOM output file paths into its own function in `BuildRunner` for a given Unit.
* extract sbom config into helper function
Still needs to check output.
* disable `sbom` config when `-Zsbom` is not passed as unstable option * refactor tests * add test
justahero
force-pushed
the
rfc3553/cargo-sbom-support
branch
3 times, most recently
from
512c7ff
to
67332d6
Compare
This expands the tests to reflect end-to-end tests by comparing the generated JSON output files with expected strings. * add test helper to compare actual & expected JSON content * refactor setup of packages in test
justahero
force-pushed
the
rfc3553/cargo-sbom-support
branch
from
67332d6
to
0aa10e9
Compare
| .iter() | ||
| .filter(|o| matches!(o.flavor, FileFlavor::Normal | FileFlavor::Linkable)) | ||
| .filter_map(|output_file| output_file.hardlink.as_ref()) | ||
| .map(|link_dst| link_dst.with_extension("cargo-sbom.json")) |
There was a problem hiding this comment.
I think we should emit all SBOM files in case of a collision, with a predictable naming scheme such as adding a number to the extension - foo.sbom, then foo.1.sbom and so on. The SBOM file will then contain the name of the binary it corresponds to, so that it can be disambiguated.
This is a good idea. As an experimental feature we could have this temporarily. And We need to make sure this must be resolved before stabilization at least.
tests/testsuite/sbom.rs
Outdated
| .masquerade_as_nightly_cargo(&["sbom"]) | ||
| .with_stderr( | ||
| "\ | ||
| warning: ignoring 'sbom' config, pass `-Zsbom` to enable it\n\ |
There was a problem hiding this comment.
| warning: ignoring 'sbom' config, pass `-Zsbom` to enable it\n\ | |
| [WARNING] ignoring 'sbom' config, pass `-Zsbom` to enable it\n\ |
| fn from(target: &Target) -> Self { | ||
| SbomTarget { | ||
| kind: target.kind().clone(), | ||
| crate_type: target.kind().rustc_crate_types().first().cloned(), |
There was a problem hiding this comment.
Regarding the fact that we might have multiple crate-types in one unit, this seems to lose that information.
There was a problem hiding this comment.
I hadn't thought of the multiple crate-types when I wrote the RFC. It seems we probably need to make this field an array in the JSON so we're not losing this.
| dependencies: Vec<SbomDependency>, | ||
| build_type: SbomBuildType, | ||
| ) -> Self { | ||
| let package_id = dep.unit.pkg.package_id(); |
There was a problem hiding this comment.
Same as the top level package. Package ID Spec is the only stable representation in Cargo to describe a package version coordinate.
| let package_id = dep.unit.pkg.package_id(); | |
| let package_id = dep.unit.pkg.package_id().to_spec(); |
| } | ||
|
|
||
| #[derive(Serialize)] | ||
| struct Sbom { |
There was a problem hiding this comment.
Do we need a dependencies field for this top-level Sbom?
(Just a question. I don't really know if other SBOM formats need it to recover the dependency graph)
There was a problem hiding this comment.
Ideally, yes. Copying my comment from the RFC:
Note that there are two ways of looking at dependencies: what each package needs, and the final resolved graph.
For example, if one package depends on
randwithfeatures = ["std", "getrandom"], and another withfeatures = ["std", "simd_support"], the final resolved features will be["std", "getrandom", "simd_support"]. Depending on the use case you may need either or both representations (direct package dependencies and the resolved graph).
cargo metadataexposes both (under "packages" and "resolve" fields), but inaccurately:
- cargo-metadata always resolves features at the workspace level #7754
- Under resolver v2, it conflates the normal and build-dependency trees
I think it would be best for the SBOM to also expose both, accurately this time.
So what I would like to see is two resolved dependency trees: one for normal dependencies and one for build dependencies, matching the way feature resolver v2 works.
| version: String, | ||
| source: String, | ||
| target: SbomTarget, | ||
| profile: Profile, |
There was a problem hiding this comment.
Bad news. People can override profiles for individual packages. So, only a top-level profile might not be enough to represent the build.
(The truth is, I am not an SBOM expert, so just provide information for you to consider)
There was a problem hiding this comment.
Great point. This makes it seem like the profile needs to be captured for each package.
There was a problem hiding this comment.
Is it sufficient to only include a package's profile when it differs from the root level one?
There was a problem hiding this comment.
Could we have some extra tests
- A package with multiple
crate-types. - A package that artifact name conflicts.
tests/testsuite/sbom.rs
Outdated
| .file("src/lib.rs", "pub fn bar() -> i32 { 2 }") | ||
| .file( | ||
| "build.rs", | ||
| r#"fn main() { println!("cargo::rustc-cfg=foo"); }"#, |
There was a problem hiding this comment.
You may need to add one more build script instruction cargo::rustc-check-cfg=cfg(has_foo) to avoid unexpected_cfg lint error.
| .iter() | ||
| .filter(|o| matches!(o.flavor, FileFlavor::Normal | FileFlavor::Linkable)) | ||
| .filter_map(|output_file| output_file.hardlink.as_ref()) | ||
| .map(|link_dst| link_dst.with_extension("cargo-sbom.json")) |
There was a problem hiding this comment.
Should we append the .cargo-sbom.json extension rather than change the extension? That way if the SBOM file has a name collision, then the binary would also have a name collision. The name collision problem still needs to be solved, but I don't think we should solve it only for the sbom file.
| fn from(target: &Target) -> Self { | ||
| SbomTarget { | ||
| kind: target.kind().clone(), | ||
| crate_type: target.kind().rustc_crate_types().first().cloned(), |
There was a problem hiding this comment.
I hadn't thought of the multiple crate-types when I wrote the RFC. It seems we probably need to make this field an array in the JSON so we're not losing this.
| } | ||
|
|
||
| #[derive(Serialize, Clone)] | ||
| struct SbomRustc { |
There was a problem hiding this comment.
I'd expect it would be the same as when running rustc -vV with a local build. What do we get here currently for a locally built rustc?
| version: String, | ||
| source: String, | ||
| target: SbomTarget, | ||
| profile: Profile, |
There was a problem hiding this comment.
Great point. This makes it seem like the profile needs to be captured for each package.
Instead of replacing the file extension, the `.cargo-sbom.json` suffix is appended to the output file. This is to keep existing file extensions in place. * refactor logic to set `sbom` property from build config * expand build script related test to check JSON output
justahero
force-pushed
the
rfc3553/cargo-sbom-support
branch
from
c8e1bc8
to
8d5fa4d
Compare
* use `PackageIdSpec` instead of only `PackageId` in SBOM output * change `version` of a dependency to `Option<Version>` * output `Vec<CrateType>` instead of only the first found crate type * output rustc workspace wrapper * update 'warning' string in test using `[WARNING]` * use `serde_json::to_writer` to serialize SBOM * set sbom suffix in tests explicitely, instead of using `with_extension`
justahero
force-pushed
the
rfc3553/cargo-sbom-support
branch
from
8d5fa4d
to
a29ec29
Compare
In case a unit's profile differs from the profile information on root level, it's added to the package information to the JSON output. The verbose output for `rustc -vV` is also written to the `rustc` field in the SBOM. * rename `fetch_packages` to `collect_packages` * update JSON in tests to include profile information
What does this PR try to resolve?
This PR is an implementation of RFC 3553 to add support to generate pre-cursor SBOM files for compiled artifacts in Cargo.
How should we test and review this PR?
The RFC 3553 adds a new option to Cargo to emit SBOM pre-cursor files. A project can be configured either by the new Cargo config field
sbom.or using the environment variable
CARGO_BUILD_SBOM=true. Thesbomoption is an unstable feature and requires the-Zsbomflag to enable it.Check out this branch & compile Cargo. Pick a Cargo project to test it on, then run:
All generated
*.cargo-sbom.jsonfiles are located in thetargetfolder alongside their artifacts. To list all generated files use:then check their content. To see the current output format, see these examples.
What does the PR not solve?
The PR leaves a task(s) open that are either out of scope or should be done in a follow-up PRs.
Additional information
There are a few things that I would like to get feedback on, in particular the generated JSON format is not final. Currently it holds the information listed in the RFC 3553, but it could be further enriched with information only available during builds.
During the implementation a number of questions arose.
UnitGraphthe right structure to determine all dependencies?compilemethod to generate the SBOM files appropriate?testsuite, are useful tests missing?Thanks @arlosi, @RobJellinghaus and @lfrancke for initial guidance & feedback.
serde_json&axum-corecrates)