cargo-cyclonedxThe CycloneDX plugin for cargo creates a custom cargo subcommand that generates a Software Bill-of-Materials (SBOM) file that describes the cargo project.
CycloneDX is a lightweight SBOM specification that is easily created, human and machine readable, and simple to parse.
bash
cargo install cargo-cyclonedx
cargobash
cargo cyclonedx
This produces a bom.xml file adjacent to every Cargo.toml file that exists in the workspace.
--format (xml or json): Defaults to XML output--all: Include the transitive dependencies for the project rather than only the top-level dependencies--manifest-path: where to find the Cargo.toml file if other than the default cargo location of the current directoryThere are several locations you can set configuration options for convenience. If your project uses a
Cargo workspace, you can set configuration as
toml values under [workspace.metadata.cyclonedx] in your workspace manifest. These configuration values will
propagate to your workspace packages unless you override the values either by specifying toml values under
[package.metadata.cyclonedx] in your package manifest or with command-line options.
Option | Values (default) | Description
----------------------- | ------------------- | --------------------------
included_dependencies | top-level, all | Either only direct (top-level) or including transitive (all) dependencies
format | xml*, json | Output format for the SBOM
Configuration options will be merged and applied in the following order from lowest to highest precedence.
toml
[workspace.metadata.cyclonedx]
included_dependencies = "top-level"
format = "xml"
You can also specify your configuration in using package metadata in your package manifest.
toml
[package.metadata.cyclonedx]
included_dependencies = "all"
format = "json"
CycloneDX Rust Cargo is Copyright (c) OWASP Foundation. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE] file for the full license.