Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: implement RFC 3553 to add SBOM support #13709

Open
wants to merge 23 commits into
base: master
Choose a base branch
from
Open

feat: implement RFC 3553 to add SBOM support #13709

wants to merge 23 commits into from
+1,003 −12

Commits on May 28, 2024

  1. Explore location to generate SBOM precursor files 

    Similar to the generation of `depinfo` files, a function is called to
generated SBOM precursor file named `output_sbom`. It takes the
`BuildRunner` & the current `Unit`. The `sbom` flag can be specified as
a cargo build option, but it's currently not configured correctly. To
test the generation the flag is set to `true`.

This passes in the cargo build config `sbom`.
    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    4f15b21 View commit details
    Browse the repository at this point in the history

  2. Add Sbom types to serialize data

    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    d8db269 View commit details
    Browse the repository at this point in the history

  3. Output source & profile

    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    78ad753 View commit details
    Browse the repository at this point in the history

  4. Output dependencies for unit deps.

    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    e3bf57d View commit details
    Browse the repository at this point in the history

  5. Trying to fetch all dependencies 

    This ignores dependencies for custom build scripts. The output should be
similar to what `cargo tree` reports.
    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    5296c9e View commit details
    Browse the repository at this point in the history

  6. Output package dependencies 

    This is similar to what the `cargo metadata` command outputs.
    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    4a6a363 View commit details
    Browse the repository at this point in the history

  7. Extract logic to fetch sbom output files 

    This extracts the logic to get the list of SBOM output file paths into
its own function in `BuildRunner` for a given Unit.
    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    7c13dc7 View commit details
    Browse the repository at this point in the history

  8. Add test file to check sbom output

    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    cbd874f View commit details
    Browse the repository at this point in the history

  9. Add test to check project with bin & lib 

    * extract sbom config into helper function
    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    11dc92d View commit details
    Browse the repository at this point in the history

  10. Add build type to dependency

    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    9b6e7f7 View commit details
    Browse the repository at this point in the history

  11. Add test to read JSON 

    Still needs to check output.
    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    def6960 View commit details
    Browse the repository at this point in the history

  12. Guard sbom logic behind unstable feature

    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    fd0381a View commit details
    Browse the repository at this point in the history

  13. Add test with custom build script

    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    5ba5f32 View commit details
    Browse the repository at this point in the history

  14. Re-organize imports

    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    c48d65f View commit details
    Browse the repository at this point in the history

  15. Integrate review feedback 

    * disable `sbom` config when `-Zsbom` is not passed as unstable option
* refactor tests
* add test
    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    755fa61 View commit details
    Browse the repository at this point in the history

  16. Expand end-to-end tests 

    This expands the tests to reflect end-to-end tests by comparing the
generated JSON output files with expected strings.

* add test helper to compare actual & expected JSON content
* refactor setup of packages in test
    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    5c39a4a View commit details
    Browse the repository at this point in the history

  17. Add 'sbom' section to unstable features doc

    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    3656e32 View commit details
    Browse the repository at this point in the history

  18. Output minified JSON instead of pretty

    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    96f348a View commit details
    Browse the repository at this point in the history

  19. Append SBOM file suffix instead of replacing 

    Instead of replacing the file extension, the `.cargo-sbom.json` suffix
is appended to the output file. This is to keep existing file extensions
in place.

* refactor logic to set `sbom` property from build config
* expand build script related test to check JSON output
    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    9fa3075 View commit details
    Browse the repository at this point in the history

  20. Integrate review feedback 

    * use `PackageIdSpec` instead of only `PackageId` in SBOM output
* change `version` of a dependency to `Option<Version>`
* output `Vec<CrateType>` instead of only the first found crate type
* output rustc workspace wrapper
* update 'warning' string in test using `[WARNING]`
* use `serde_json::to_writer` to serialize SBOM
* set sbom suffix in tests explicitely, instead of using `with_extension`
    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    e9e171d View commit details
    Browse the repository at this point in the history

  21. Output additional fields to JSON 

    In case a unit's profile differs from the profile information on root
level, it's added to the package information to the JSON output.

The verbose output for `rustc -vV` is also written to the `rustc` field
in the SBOM.

* rename `fetch_packages` to `collect_packages`
* update JSON in tests to include profile information
    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    809bc80 View commit details
    Browse the repository at this point in the history

  22. Add test to check multiple crate types

    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    ca659a1 View commit details
    Browse the repository at this point in the history

  23. Add test to check artifact name conflict

    @justahero
    justahero committed May 28, 2024
    Configuration menu
    Copy the full SHA
    1e9f5c7 View commit details
    Browse the repository at this point in the history