Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Record package hashes in the generated SBOM #620

Merged
merged 9 commits into from
Feb 25, 2024
Merged

Conversation

Shnatsel
Copy link
Contributor

@Shnatsel Shnatsel commented Feb 18, 2024

Requires Rust 1.77 or later because it relies on rust-lang/cargo#12914

Older Rust versions behave as before, i.e. the hashes are not recorded.

Builds on #619 because I didn't want to create editing conflicts with myself. I can rebase it if it doesn't go in.

Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
…h format and wire up emitting the data to the final SBOM

Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel Shnatsel marked this pull request as ready for review February 18, 2024 01:02
@Shnatsel Shnatsel requested a review from a team as a code owner February 18, 2024 01:02
Copy link
Contributor

@lfrancke lfrancke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I looked at the code changes and those look good.
I only have 1.76 installed and train wifi won't allow me to download a newer version.
I'm happy to merge as is but if you prefer I can also test it next week.

@Shnatsel
Copy link
Contributor Author

In my testing it works, so I'm going to go ahead and merge it.

There is an edge case: if the registry URL contains parameters, the hash may not be recorded. That's because Cargo.lock does not encode parameters correctly right now (and what cargo metadata and cargo pkgid do is anyone's guess), but we'll get to that once the v4 Cargo.lock format which fixes it gets actually rolled out.

@Shnatsel Shnatsel merged commit a9ff97d into CycloneDX:main Feb 25, 2024
9 checks passed
@Shnatsel
Copy link
Contributor Author

I filed an issue about that so that it's tracked: #629

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants