Add --workspace-sboms flag for workspace SBOMs#870
Conversation
When cargo cyclonedx runs against a workspace, it currently emits an SBOM for every workspace member. Some CI flows only need the SBOM for the crate being built from a specific manifest. Add --workspace-sboms with values all (default) and manifest-only. The default preserves existing behavior. manifest-only limits output to the manifest from --manifest-path or the current directory. Return a clear error when manifest-only is used with a virtual workspace root manifest that does not match any member crate. Signed-off-by: Salim Blume <salim@runsafesecurity.com>
Up to standards ✅🟢 Issues
|
| Metric | Results |
|---|---|
| Complexity | 34 |
| Duplication | 4 |
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
|
Just to make sure I understand this correctly: you want to emit a SBOM for only a single specific crate from the workspace, right? Why are the other crates in the workspace an issue? |
|
Our use case is that we identify With the current upstream behavior this iteration generates the same SBOMs multiple times, once for each crate in the workspace. Another solution to this problem would be if we could format the output of the command to something structured. Then we could parse the list of generated SBOMs and retrieve them. |
|
Ah, it's the "match SBOM to the crate" problem. Can we write the manifest path (path to Cargo.toml) into the SBOM file? Does that help? |
|
We would still need to be able to know which SBOMs were generated in a structured way, otherwise we're hunting JSON files for that manifest path to try and find a match. We also need to account for monorepos with multiple unconnected cargo workspaces within them. Today in our fork we can search an entire directory for all Cargo.tomls and then generate SBOMs 1:1 with those tomls and know what we generated because we're specifying the filename with If we were to rely on the current upstream behavior we would end up having to come up with some clever parsing to distinguish workspaces from one another, then generate SBOMs per workspace, then identify the generated SBOMs and map them to each Cargo.toml which they describe. |
2 participants
When
cargo cyclonedxruns against a rust workspace, it currently emits an SBOM for every workspace member. Some workflows only need the SBOM for the crate being built from a specific manifest.Add --workspace-sboms with values
all(default) andmanifest-only. The default preserves existing behavior.manifest-onlylimits output to the manifest from--manifest-pathor the current directory.Return a clear error when
manifest-onlyis used with a virtual workspace root manifest that does not match any member crate.We've been using a fork of this repo with these changes (without the CLI flag) for a while now without issue and wanted to bring the feature upstream.
I wasn't sure if it is appropriate to fill out the
CHANGELOG.mdwith anUnreleasedsection or not and can revert that if needed.