This crate provides a command line tool to create software bill of materials (SBOM) for Cargo / Rust workspaces. It supports both SPDX and CycloneDX outputs.
The latest documentation can be found here.
SBOM or Software Bill of Materials is an industry standard term used to trace and maintain the supply chain security of software.
cargo-sbom may be installed via cargo
shell
cargo install cargo-sbom
via cargo-binstall
shell
cargo binstall cargo-sbom
or downloaded directly from Github Releases
```shell
curl -sSL https://github.com/psastras/sbom-rs/releases/download/cargo-sbom-latest/cargo-sbom-x86_64-unknown-linux-gnu -o cargo-sbom ```
For most cases, simply cd into a cargo workspace and run cargo sbom.
shell
$ cargo sbom
{
"SPDXID": "SPDXRef-DOCUMENT",
"creationInfo": {
"created": "2023-07-04T12:38:15.211Z",
"creators": [
"Tool: cargo-sbom-v0.5.0"
]
},
"dataLicense": "CC0-1.0",
"documentNamespace": "https://docs.rs/cargo_sbom/spdxdocs/cargo-sbom-0.5.0-9cae390a-4b46-457c-95b9-e59a5e62b57d",
"files": [
{
<rest of output omitted>
| SPDX Field | Source |
|---------------------------|----------------------------------------------------------------------------------------------------|
| packages.SPDXID | Written as SPDXRef-Package-crate name-crate version |
| packages.description | Read from Cargo.toml's "description" field |
| packages.downloadLocation | Read from cargo metadata (usually "registry+https://github.com/rust-lang/crates.io-index") |
| packages.externalRefs | If packages.downloadLocation is crates.io, written as a package url formatted string |
| packages.homepage | Read from Cargo.toml's "homepage" field |
| packages.licenseConcluded | Parsed from Cargo.toml's "homepage" field |
| packages.licenseDeclared | Read from Cargo.toml's "license" field |
| packages.name | Read from Cargo.toml's "name" field |
None
License: MIT