From 9dc1aba79b2ed847fcec69443faa29356ef2c590 Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Tue, 4 Mar 2025 17:32:25 +0000 Subject: [PATCH] Document security considerations in the cargo-cyclonedx README Signed-off-by: Sergey "Shnatsel" Davidoff --- cargo-cyclonedx/README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/cargo-cyclonedx/README.md b/cargo-cyclonedx/README.md index 7cc94351..05d2d78b 100644 --- a/cargo-cyclonedx/README.md +++ b/cargo-cyclonedx/README.md @@ -102,6 +102,15 @@ By contrast, `cargo cyclonedx` sources data both from `Cargo.lock` and from [`ca - Omit dev-dependencies, which cannot affect the final executable - Record additional fields such as the license for every component +## Security considerations + +`cargo-cyclonedx` calls into Cargo internally to get information about a Rust project. Like nearly any other build system, +Cargo [may run arbitrary code](https://shnatsel.medium.com/do-not-run-any-cargo-commands-on-untrusted-projects-4c31c89a78d6) +when invoked on an untrusted project, so `cargo-cyclonedx` should not be called on untrusted projects either. + +Some of the other tools for generating CycloneDX SBOMs do not invoke Cargo and only parse the `Cargo.lock` file. +However, the only way to generate the `Cargo.lock` file for them to scan is to invoke Cargo, so this issue is currently unavoidable for any tool that describes a Cargo project. + ## Contributing See [CONTRIBUTING](../CONTRIBUTING.md) for details.