Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for -sys style crates #366

Open
ctron opened this issue Jan 9, 2023 · 0 comments
Open

Support for -sys style crates #366

ctron opened this issue Jan 9, 2023 · 0 comments
Labels
enhancement New feature or request

Comments

@ctron
Copy link
Contributor

ctron commented Jan 9, 2023

Assuming one uses e.g. rdkafka, this pulls in rdkafka-sys, which actually contains librdkafka (a C library).

There are a bunch of dependencies, which follow a -sys style pattern, adding C code to the Rust build. Such crates can sometimes by linked dynamically (re-using a system library), but sometimes they bring their own library.

In the case that such crates bring their own compiled version, I would expect to see the dependency on the SBOM too.

However, building a Rust application with this crate (using --all) I am not aware of the fact that this contains the code of librdkafka too:

$ cat bom.xml | grep kafka
    <component type="library" bom-ref="pkg:cargo/rdkafka@0.29.0">
      <name>rdkafka</name>
      <description>Rust wrapper for librdkafka</description>
      <purl>pkg:cargo/rdkafka@0.29.0</purl>
          <url>https://github.com/fede1024/rust-rdkafka</url>
    <component type="library" bom-ref="pkg:cargo/rdkafka-sys@4.3.0+1.9.2">
      <name>rdkafka-sys</name>
      <description>Native bindings to the librdkafka library</description>
      <purl>pkg:cargo/rdkafka-sys@4.3.0+1.9.2</purl>
          <url>rdkafka</url>
          <url>https://github.com/fede1024/rust-rdkafka</url>

The rdkafka-sys dependecy looks like this:

    <component type="library" bom-ref="pkg:cargo/rdkafka-sys@4.3.0+1.9.2">
      <name>rdkafka-sys</name>
      <version>4.3.0+1.9.2</version>
      <description>Native bindings to the librdkafka library</description>
      <scope>required</scope>
      <licenses>
        <expression>MIT</expression>
      </licenses>
      <purl>pkg:cargo/rdkafka-sys@4.3.0+1.9.2</purl>
      <externalReferences>
        <reference type="other">
          <url>rdkafka</url>
        </reference>
        <reference type="vcs">
          <url>https://github.com/fede1024/rust-rdkafka</url>
        </reference>
      </externalReferences>
    </component>

It might be hard to provide an automatic way to discover this, so I think it might make sense to have the following two features:

  • Be able to attach additional (extra) dependencies to the SBOM. This would allow the developer to manually provide such information. If that would be stored in a file, alongside the crate, that could also be automatically generated.
  • Propagate such information in the dependency tree. Maybe this can be added as part of the metadata of a crate, so after resolving cargo dependencies, all extra-dependencies get added to the final result as well.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ctron @Shnatsel