Integrate improvements from cargo cyclonedx?

[Shnatsel]

I have recently overhauled a similar tool, cargo cyclonedx. I think cargo sbom would benefit from some of the improvements I made there, specifically:

• The ability to generate the SBOM for a specific platform with --target
• The ability to select Cargo features via Cargo-compatible flags such as --no-default-features, --all-features, --features=.... Right now cargo sbom always records the dependency tree for all features.
• Inclusion of the git and custom registry URLs into the PURL (there are qualifiers for it defined in the specification)
• Record the binary targets of the toplevel package (e.g. fd-find package has the binary called fd, some packages have multiple binaries)

I am not familiar with the SPDX format so I am not sure if these items also apply there.

Would you be interested in integrating similar changes into cargo sbom? I could probably open pull requests for at least some of this.

[psastras]

@Shnatsel sorry to miss this, yes, features has been something that's been on the back of my mind for a while. I'm happy if you want to propose changes, else if you can point me to the impl (i can probably browse around for it) I can probably find some time to incorporate.

[Shnatsel]

I am no longer paid to work on Rust SBOM tooling, so I cannot open PRs myself anymore. But I am happy to point you to the equivalent code in cargo cyclonedx or answer any questions about the implementation!

The --target and feature selection are the easiest to implement - all it takes is passing the right command-line flags to cargo metadata. That's a very small change: https://github.com/CycloneDX/cyclonedx-rust-cargo/blob/2911287b2520a7ddab1782b48c35112279b1be17/cargo-cyclonedx/src/main.rs#L131-L165
Or here are the PRs if you prefer to look at the diffs: CycloneDX/cyclonedx-rust-cargo#512 CycloneDX/cyclonedx-rust-cargo#513

The PURL construction is also very easy. It's just 85 lines, the rest is tests:
https://github.com/CycloneDX/cyclonedx-rust-cargo/blob/2911287b2520a7ddab1782b48c35112279b1be17/cargo-cyclonedx/src/purl.rs#L1-L85 plus a few lines for percent encoding: https://github.com/Shnatsel/cyclonedx-rust-cargo/blob/main/cargo-cyclonedx/src/urlencode.rs custom encoding not needed if you use purl crate v0.1.3 or later, but needed if you're using the packageurl crate
Or in diff form: CycloneDX/cyclonedx-rust-cargo#523

Recording multiple binaries for a crate is not hard either: CycloneDX/cyclonedx-rust-cargo#533
While this is more complete and correct than what cargo sbom does now, we've found that users find this confusing, and prefer to have a SBOM for each binary individually rather than for a whole crate. Emitting a separate SBOM for each binary and correctly handling all the edge cases was the only feature that required a fairly substantial refactoring: CycloneDX/cyclonedx-rust-cargo#619 although I've later revamped the CLI in CycloneDX/cyclonedx-rust-cargo#634

Another easy but highly desirable feature I didn't list in the initial post would be recording hashes in the SBOM: CycloneDX/cyclonedx-rust-cargo#620
It only became possible recently, in Cargo 1.77

[psastras]

@Shnatsel thanks!

im not paid to work on this either, hence the slow replies and work, will take a look!