feat: implement RFC 3553 to add SBOM support

[justahero]

What does this PR try to resolve?

This PR is an implementation of RFC 3553 to add support to generate pre-cursor SBOM files for compiled artifacts in Cargo.

How should we test and review this PR?

The RFC 3553 adds a new option to Cargo to emit SBOM pre-cursor files. A project can be configured either by the new Cargo config field sbom.

# .cargo/config.toml
[build]
sbom = true

or using the environment variable CARGO_BUILD_SBOM=true. The sbom option is an unstable feature and requires the -Zsbom flag to enable it.

Check out this branch & compile Cargo. Pick a Cargo project to test it on, then run:

CARGO_BUILD_SBOM=true <path/to/compiled/cargo>/target/debug/cargo build -Zsbom

All generated *.cargo-sbom.json files are located in the target folder alongside their artifacts. To list all generated files use:

find ./target -name "*.cargo-sbom.json"

then check their content. To see the current output format, see these examples.

What does the PR not solve?

The PR leaves a task(s) open that are either out of scope or should be done in a follow-up PRs.

• does not address Duplicate artifact tracking issue. #6313 (see comment)

Additional information

There are a few things that I would like to get feedback on, in particular the generated JSON format is not final. Currently it holds the information listed in the RFC 3553, but it could be further enriched with information only available during builds.

During the implementation a number of questions arose:

• Should the graph be packages or crates?
  • The unit graph that the SBOM is based on is units. The current SBOM graph is identical to the unit graph, with the run build script nodes merged with building build scripts.
  • Artifact dependencies may impact this
• Which outputs should get SBOMs files?
  • Currently: executables (including examples and tests), dylib, cdylib, staticlib
• How do we refer to "normal" dependencies? feat: implement RFC 3553 to add SBOM support #13709 (comment)
• What case should we use? feat: implement RFC 3553 to add SBOM support #13709 (comment)
• Should this be build.sbom or profile.*.sbom
• Is sbom the right name for this?

Thanks @arlosi, @RobJellinghaus and @lfrancke for initial guidance & feedback.

• RFC: #RFC: cargo-sbom rfcs#3553

[rustbot]

Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @ehuss (or someone else) some time within the next two weeks.

Please see the contribution instructions for more information. Namely, in order to ensure the minimum review times lag, PR authors and assigned reviewers should ensure that the review label (S-waiting-on-review and S-waiting-on-author) stays updated, invoking these commands when appropriate:

• @rustbot author: the review is finished, PR author should check the comments and take action accordingly
• @rustbot review: the author is ready for a review, this PR will be queued again in the reviewer's queue

[heisen-li]

Much respect for your contribution.

From my kind reminders, it seems appropriate to modify the documentation of the corresponding sections, e.g. Configuration, Environment Variables.

[weihanglo]

Thanks for the reminder, @heisen-li. Would love to see a doc update, though we should probably focus on the design discussion first, as the location of the configuration is not yet decided. (See rust-lang/rfcs#3553 (comment)).

[epage]

One approach for the docs (if this is looking to be merged) is to put the env and config documentation fragments in the Unstable docs.

[weihanglo]

Just note that I reviewed this as-is, didn't really think too much for the design itself. Thank you for working on this!

[bors]

☔ The latest upstream changes (presumably #13571) made this pull request unmergeable. Please resolve the merge conflicts.

[weihanglo]

Now I like the idea of having this PR to explore SBOM format. I'll post back issues we've found so far to the RFC. Thank you :)

[bors]

☔ The latest upstream changes (presumably #13992) made this pull request unmergeable. Please resolve the merge conflicts.

[justahero]

Rebased the PR.

[bors]

☔ The latest upstream changes (presumably #13900) made this pull request unmergeable. Please resolve the merge conflicts.

[bors]

☔ The latest upstream changes (presumably #13947) made this pull request unmergeable. Please resolve the merge conflicts.

[bors]

☔ The latest upstream changes (presumably #14576) made this pull request unmergeable. Please resolve the merge conflicts.

[arlosi]

I've the PR to address most of the feedback from @epage. Thanks!

I re-wrote the algorithm for building the sbom graph and made changes to the format. There's also now documentation for the format in unstable.md that should help reviewers understand what it's looking like.
 
Before merging, I still want to add more test coverage for additional cases.

[arlosi]

Currently packages, since the crates within the package should have the same dependency set & profile if compiled in the same invocation. The existing algorithm is merging units within the same package.

If there's a reason to move to crates instead and have more nodes in the graph, I'm open to that, but I currently don't see one.

[arlosi]

I've updated the PR and it should be ready for another round of review. Notable changes include:

• The graph is no longer combining dependencies within the same package. This means that things like libs and build scripts within a package get unique nodes in the graph.
• The SBOM is listed in the JSON output as an output file.
• Added a test for RUSTC_WRAPPER

[justahero]

Huge thank you @arlosi & to the cargo team for investing the time & effort to get this feature integrated. 🎉

[nazar-pc]

Is this supposed to work with cargo rustc (I hope so)? It doesn't complain about the option, but doesn't produce *.cargo-sbom.json file either, while cargo build does.

[weihanglo]

IIRC that hasn't yet been discussed, but personally I think it should