Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Stabilize Cargo SBOM precursor

Metadata
Point of contactSergey Davidoff
StatusProposed for mentorship
FlagshipSecure your supply chain
Tracking issue
Other tracking issueshttps://github.com/rust-lang/cargo/issues/16565
Zulip channelN/A
Stabilizationtrue
Teamscargo
Task owners(none)

Summary

Progress towards an MVP version of Cargo SBOM support by resolving known issues in Cargo’s SBOM precursor feature and finalizing the RFC.

Motivation

Software Bill of Materials is a list of project dependencies and their versions, analogous to Cargo.lock, in a format standardized across programming languages. They enable supply chain transparency and allow easily identifying dependencies with known vulnerabilities.

SBOMs are turning from a best practice to being mandatory. In the US Executive Order 14028 requires the federal government to only purchase software from vendors who provide a Software Bill of Materials for each product. In the EU the Cyber Resilience Act mandates that any product with “digital elements” sold in the EU must have an SBOM as part of its technical documentation; obligations for reporting vulnerabilities begin in September 2026, with full compliance required by December 2027. Many other jurisdictions have similar regulations.

The status quo

The crucial missing piece for SBOM generation for Rust+Cargo projects is accurate reporting of the dependency tree. cargo metadata falls short in multiple ways. This results in either false negatives or false positives in the reported dependency tree.

The SBOM precursor feature in Cargo addresses this by providing a mechanism to accurately report the dependency tree used in a given build. However, it is nightly-only, not yet widely used, and has at least one known issue.

Inaccurate SBOMs lead to false positives on vulnerability scans and/or compliance issues.

What we propose to do about it

  1. Complete the RFC for this feature and get it accepted
  2. Resolve the already known issue(s) in the Cargo SBOM precursor feature
  3. Modify cargo-cyclonedx to use the Cargo SBOM precursor as a data source, to prove that it can be used to generate a complete and accurate SBOM in an industry standard format
  4. Address any issues that point 2 uncovers in the Cargo SBOM precursor feature
  5. Stabilize the MVP that is sufficient to power cargo-cyclonedx and cargo-auditable

Work items over the next year

TaskOwner(s)Notes
Complete the RFCSergey Davidoff et al.
Resolve known issuesSergey Davidoff et al.
convert cargo-cyclonedx to use the SBOM precursorSergey Davidoff et al.outside the Rust Project repositories, no Rust Project mentorship needed
Resolve newly uncovered issuesSergey Davidoff et al.
Stabilize the MVPSergey Davidoff et al.

I am in the process of applying for funding for this work, together with collaborators I’m not sure I can disclose. The amount of time we can dedicate to the project will depend on the outcome of that application. It is possible that the funding will only materialize in the second half of the year or not at all.

Team asks

We will need:

  • Guidance to get the RFC finalized and accepted
  • A handful of 30-minute design meetings with someone on the Cargo team to guide fixing the implementation issues
  • Guidance on the stabilization process
TeamSupport levelNotes
cargoMedium

Frequently asked questions

TODO - will fill in based on the review comments