Metadata components should not have sub-components

[empwilli]

As of now, cargo-cyclonedx explicitly creates sub-components for the component entry in the metadata for the respective compilation targets.

This appears to contradict with the suggestions in the Authoritative Guide to SBOM, that states, that "The SBOM should have a single bom.metadata.component without subcomponents".

This has the consequence, that generated SBoMs currently cannot be properly processed by third-party tools, e.g., Dependency Track.

[Shnatsel]

More specifically, the guide states that subcomponents should be used in case of a "Multi-Product Solution" rather than a "Multi-Module Product".

You can work around this today with --describe=binaries, but perhaps we should adjust the --describe=crate mode and/or switch to a better default.

Could you share the exact error that DependencyTrack reports?

[empwilli]

Hi, thanks for your advice.

You can work around this today with --describe=binaries, but perhaps we should adjust the --describe=crate mode and/or switch to a better default.

Sadly, I don't see too much difference in the resulting SBoMs:

 >  cargo cyclonedx --describe=crate -a
 >  cargo cyclonedx --describe=binaries -a
 >  diff my-project*.xml
2c2
< <bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:5409cd74-0ee9-4d79-a6ff-59855524e122" version="1">
---
> <bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:74c46a33-405f-49e2-980d-a592c338df5a" version="1">
4c4
<     <timestamp>2024-08-23T06:07:23.503610541Z</timestamp>
---
>     <timestamp>2024-08-23T06:07:14.152732469Z</timestamp>
25c25
<       <purl>pkg:cargo/my-project@0.1.0?download_url=file://.#src/main.rs</purl>
---
>       <purl>pkg:cargo/my-project@0.1.0?download_url=file://.</purl>

Could you share the exact error that DependencyTrack reports?

It boils down to parsing errors with Jackson in the cyclonedx-core-java package, I've already filed a bug over there, the Dependency Track error logs then contain the stack trace I quoted in CycloneDX/cyclonedx-core-java#447 (comment).

Edit: formatting

[Shnatsel]

Starting with v0.5.8, metadata.components no longer has subcomponents when used with --describe=binaries or --describe=all-cargo-targets