From 5038587996931bcddaa41beb47bf3a11b31944d0 Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Tue, 14 Nov 2023 22:00:16 +0000 Subject: [PATCH 1/5] Revert "Improve logging for kinds that are not binary or library" Signed-off-by: Sergey "Shnatsel" Davidoff --- cargo-cyclonedx/src/generator.rs | 99 ++++++++++++++++---------------- 1 file changed, 48 insertions(+), 51 deletions(-) diff --git a/cargo-cyclonedx/src/generator.rs b/cargo-cyclonedx/src/generator.rs index b1b1e0cb..bb78a50e 100644 --- a/cargo-cyclonedx/src/generator.rs +++ b/cargo-cyclonedx/src/generator.rs @@ -182,63 +182,60 @@ impl SbomGenerator { let mut subcomponents: Vec = Vec::new(); let mut subcomp_count: u32 = 0; for tgt in &package.targets { - // Classification // Ignore tests, benches, examples and build scripts. // They are not part of the final build artifacts, which is what we are after. - let cdx_type = match (tgt.is_bin(), tgt.is_lib()) { - (true, false) => Classification::Application, - (false, true) => Classification::Library, - _ => { - log::warn!( - "Target {} is neither a binary nor a library! Kinds: {}", - tgt.name, - tgt.kind.join(", ") - ); - + if !(tgt.is_bench() || tgt.is_example() || tgt.is_test() || tgt.is_custom_build()) { + // classification + let cdx_type = if tgt.is_bin() { + Classification::Application + } else if tgt.is_lib() { + Classification::Library + } else { + log::warn!("Target {} is neither a binary nor a library!", tgt.name); continue; - } // Skip if neither a binary nor a library - }; - - // bom_ref - let bom_ref = format!( - "{} bin-target-{}", - top_component.bom_ref.as_ref().unwrap(), - subcomp_count - ); - subcomp_count += 1; - - // create the subcomponent - let mut subcomponent = Component::new( - cdx_type, - &tgt.name, - &package.version.to_string(), - Some(bom_ref), - ); + }; - // PURL subpaths are computed relative to the directory with the `Cargo.toml` - // *for this specific package*, not the workspace root. - // This is done because the tarball uploaded to crates.io only contains the package, - // not the workspace, so paths resolved relatively to the workspace root would not be valid. - // - // When using a git repo that contains a workspace, Cargo will automatically select - // the right package out of the workspace. Paths can then be resolved relatively to it. - // So the information we encode here is sufficient to idenfity the file in git too. - let package_dir = package - .manifest_path - .parent() - .expect("manifest_path in `cargo metadata` output is not a file!"); - if let Ok(relative_path) = tgt.src_path.strip_prefix(package_dir) { - subcomponent.purl = - get_purl(package, package, &self.workspace_root, Some(relative_path)).ok(); - } else { - log::warn!( - "Source path \"{}\" is not a subpath of workspace root \"{}\"", - tgt.src_path, - self.workspace_root + // bom_ref + let bom_ref = format!( + "{} bin-target-{}", + top_component.bom_ref.as_ref().unwrap(), + subcomp_count ); - } + subcomp_count += 1; + + // create the subcomponent + let mut subcomponent = Component::new( + cdx_type, + &tgt.name, + &package.version.to_string(), + Some(bom_ref), + ); + + // PURL subpaths are computed relative to the directory with the `Cargo.toml` + // *for this specific package*, not the workspace root. + // This is done because the tarball uploaded to crates.io only contains the package, + // not the workspace, so paths resolved relatively to the workspace root would not be valid. + // + // When using a git repo that contains a workspace, Cargo will automatically select + // the right package out of the workspace. Paths can then be resolved relatively to it. + // So the information we encode here is sufficient to idenfity the file in git too. + let package_dir = package + .manifest_path + .parent() + .expect("manifest_path in `cargo metadata` output is not a file!"); + if let Ok(relative_path) = tgt.src_path.strip_prefix(package_dir) { + subcomponent.purl = + get_purl(package, package, &self.workspace_root, Some(relative_path)).ok(); + } else { + log::warn!( + "Source path \"{}\" is not a subpath of workspace root \"{}\"", + tgt.src_path, + self.workspace_root + ); + } - subcomponents.push(subcomponent); + subcomponents.push(subcomponent); + } } top_component.components = Some(Components(subcomponents)); top_component From 16e0070a7ec771632eb92708edc790f63f8a7a06 Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Tue, 14 Nov 2023 22:14:03 +0000 Subject: [PATCH 2/5] Recognize any library type (cdylib, etc) not just 'lib' Signed-off-by: Sergey "Shnatsel" Davidoff --- cargo-cyclonedx/src/generator.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cargo-cyclonedx/src/generator.rs b/cargo-cyclonedx/src/generator.rs index bb78a50e..5b3c7f6f 100644 --- a/cargo-cyclonedx/src/generator.rs +++ b/cargo-cyclonedx/src/generator.rs @@ -188,7 +188,7 @@ impl SbomGenerator { // classification let cdx_type = if tgt.is_bin() { Classification::Application - } else if tgt.is_lib() { + } else if tgt.kind.iter().any(|kind| kind.contains("lib")) { Classification::Library } else { log::warn!("Target {} is neither a binary nor a library!", tgt.name); From 4d886ef6272003e01e7e35514f6c82d1b5615f61 Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Tue, 14 Nov 2023 22:15:43 +0000 Subject: [PATCH 3/5] Restore improved logging of unrecognized crate types Signed-off-by: Sergey "Shnatsel" Davidoff --- cargo-cyclonedx/src/generator.rs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cargo-cyclonedx/src/generator.rs b/cargo-cyclonedx/src/generator.rs index 5b3c7f6f..5dab2746 100644 --- a/cargo-cyclonedx/src/generator.rs +++ b/cargo-cyclonedx/src/generator.rs @@ -191,7 +191,11 @@ impl SbomGenerator { } else if tgt.kind.iter().any(|kind| kind.contains("lib")) { Classification::Library } else { - log::warn!("Target {} is neither a binary nor a library!", tgt.name); + log::warn!( + "Target {} is neither a binary nor a library! Kinds: {}", + tgt.name, + tgt.kind.join(", ") + ); continue; }; From 914e28c64f70d57083ebb73f178bfc181101efc3 Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Tue, 14 Nov 2023 22:25:17 +0000 Subject: [PATCH 4/5] Also recognize proc macros as libraries Signed-off-by: Sergey "Shnatsel" Davidoff --- cargo-cyclonedx/src/generator.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cargo-cyclonedx/src/generator.rs b/cargo-cyclonedx/src/generator.rs index 5dab2746..a3ee5bd9 100644 --- a/cargo-cyclonedx/src/generator.rs +++ b/cargo-cyclonedx/src/generator.rs @@ -188,6 +188,9 @@ impl SbomGenerator { // classification let cdx_type = if tgt.is_bin() { Classification::Application + // sadly no .is_proc_macro() yet + } else if tgt.kind.iter().any(|kind| kind == "proc-macro") { + Classification::Library } else if tgt.kind.iter().any(|kind| kind.contains("lib")) { Classification::Library } else { From 73ed4a81389d68c5ea1d4201ed9306e74a6fe133 Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Tue, 14 Nov 2023 22:30:30 +0000 Subject: [PATCH 5/5] Silence Clippy Signed-off-by: Sergey "Shnatsel" Davidoff --- cargo-cyclonedx/src/generator.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cargo-cyclonedx/src/generator.rs b/cargo-cyclonedx/src/generator.rs index a3ee5bd9..77c3e74f 100644 --- a/cargo-cyclonedx/src/generator.rs +++ b/cargo-cyclonedx/src/generator.rs @@ -186,10 +186,12 @@ impl SbomGenerator { // They are not part of the final build artifacts, which is what we are after. if !(tgt.is_bench() || tgt.is_example() || tgt.is_test() || tgt.is_custom_build()) { // classification + #[allow(clippy::if_same_then_else)] let cdx_type = if tgt.is_bin() { Classification::Application // sadly no .is_proc_macro() yet } else if tgt.kind.iter().any(|kind| kind == "proc-macro") { + // There isn't a better way to express it with CycloneDX types Classification::Library } else if tgt.kind.iter().any(|kind| kind.contains("lib")) { Classification::Library