SBOM generator for Rust modules
Project description
SBOM4Rust
SBOM4Rust generates a SBOM (Software Bill of Materials) for Rust application or library in a number of formats including
SPDX and CycloneDX.
It identifies all the dependent components which are explicity defined in the Cargo.lock
file and reports the relationships between the components.
It is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained and also to support subsequent audit needs to determine if a particular component (and version) has been used.
Installation
To install use the following command:
pip install sbom4rust
Alternatively, just clone the repo and install dependencies using the following command:
pip install -U -r requirements.txt
The tool requires Python 3 (3.7+). It is recommended to use a virtual python environment especially
if you are using different versions of python. virtualenv
is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.
Usage
usage: sbom4rust [-h] [-d DEPENDENCY] [-a APPLICATION] [--debug]
[--sbom {spdx,cyclonedx}] [--format {tag,json,yaml}]
[-o OUTPUT_FILE] [-V]
options:
-h, --help show this help message and exit
-V, --version show program's version number and exit
Input:
-d DEPENDENCY, --dependency DEPENDENCY
Directory containing Cargo.lock dependency file
-a APPLICATION, --application APPLICATION
Name of application
Output:
--debug add debug information
--sbom {spdx,cyclonedx}
specify type of sbom to generate (default: spdx)
--format {tag,json,yaml}
format for SPDX software bill of materials (sbom) (default: tag)
-o OUTPUT_FILE, --output-file OUTPUT_FILE
output filename (default: output to stdout)
Operation
The --dependency
option is used to identify the directory containing the Cargo.lock
dependency file.
If this option is not specified, the current directory is assumed.
The --application
option is used to specify an application within the Cargo.lock
dependency file. This option must be specified.
The --sbom
option is used to specify the format of the generated SBOM (the default is SPDX). The --format
option
can be used to specify the formatting of the SPDX SBOM (the default is Tag Value format but JSON and YAML format are also supported).
All CycloneDX SBOMs are generated in JSON format.
The --output-file
option is used to control the destination of the output generated by the tool. The
default is to report to the console but can be stored in a file (specified using --output-file
option).
All module licences are reported as 'NOASSERTION'. All module suppliers are reported as 'UNKNOWN'.
Licence
Licenced under the Apache 2.0 Licence.
Limitations
This tool is meant to support software development and security audit functions. The usefulness of the tool is dependent on the SBOM data which is provided to the tool. Unfortunately, the tool is unable to determine the validity or completeness of such a SBOM file; users of the tool are therefore reminded that they should assert the quality of any data which is provided to the tool.
Feedback and Contributions
Bugs and feature requests can be made via GitHub Issues.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
File details
Details for the file sbom4rust-0.5.0-py2.py3-none-any.whl
.
File metadata
- Download URL: sbom4rust-0.5.0-py2.py3-none-any.whl
- Upload date:
- Size: 12.1 kB
- Tags: Python 2, Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.10.8
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 8ca594ca7afd339682e500871dbf4d56fcab8ccf088e46bdb1ffe798c6803028 |
|
MD5 | f4d69cc1f25c7d1d9894961593f4a042 |
|
BLAKE2b-256 | 23cc702ce574c4741c265174cf9f6e5c0169400c3e10a150dea012043c0373a8 |