{"id":25651303,"url":"https://github.com/psastras/sbom-rs","last_synced_at":"2025-04-15T22:06:54.190Z","repository":{"id":178624747,"uuid":"662143628","full_name":"psastras/sbom-rs","owner":"psastras","description":"A group of Rust projects for interacting with and producing software bill of materials (SBOMs).","archived":false,"fork":false,"pushed_at":"2024-08-12T14:54:33.000Z","size":440,"stargazers_count":30,"open_issues_count":16,"forks_count":5,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-15T22:06:12.517Z","etag":null,"topics":["bom","cargo","cyclonedx","rust","sbom","spdx"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/psastras.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-07-04T12:56:08.000Z","updated_at":"2025-04-12T09:55:30.000Z","dependencies_parsed_at":"2024-01-16T12:47:37.013Z","dependency_job_id":"4d661aed-a160-4e27-9973-a15e74768c5b","html_url":"https://github.com/psastras/sbom-rs","commit_stats":{"total_commits":178,"total_committers":2,"mean_commits":89.0,"dds":0.1629213483146067,"last_synced_commit":"0bc7a5e544f49fbf072bd3d83f1b32fabae066c2"},"previous_names":["psastras/sbom-rs"],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/psastras%2Fsbom-rs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/psastras%2Fsbom-rs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/psastras%2Fsbom-rs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/psastras%2Fsbom-rs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/psastras","download_url":"https://codeload.github.com/psastras/sbom-rs/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249161344,"owners_count":21222474,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bom","cargo","cyclonedx","rust","sbom","spdx"],"created_at":"2025-02-23T16:54:56.081Z","updated_at":"2025-04-15T22:06:53.936Z","avatar_url":"https://github.com/psastras.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Workflow Status](https://github.com/psastras/sbom-rs/workflows/main/badge.svg)](https://github.com/psastras/sbom-rs/actions?query=workflow%3A%22main%22)\n[![codecov](https://codecov.io/gh/psastras/sbom-rs/branch/main/graph/badge.svg?token=KSXYAZGS5U)](https://codecov.io/gh/psastras/sbom-rs)\n\n# sbom-rs\n\nA group of Rust projects for interacting with and producing software bill of materials (SBOMs).\n\n## Examples\n\n### cargo-sbom\n\n#### Create a SPDX SBOM for a Cargo project\n\nIn a shell:\n\n```shell\n$ cargo sbom\n{\n  \"SPDXID\": \"SPDXRef-DOCUMENT\",\n  \"creationInfo\": {\n    \"created\": \"2023-07-04T12:38:15.211Z\",\n    \"creators\": [\n      \"Tool: cargo-sbom-v0.9.1\"\n    ]\n  },\n  \"dataLicense\": \"CC0-1.0\",\n  \"documentNamespace\": \"https://docs.rs/cargo_sbom/spdxdocs/cargo-sbom-0.9.1-9cae390a-4b46-457c-95b9-e59a5e62b57d\",\n  \"files\": [\n    {\n  \u003crest of output omitted\u003e\n```\n\n#### Create a CycloneDx SBOM in Github Actions\n\nIn a Github Actions workflow:\n\n```yaml\njobs:\n  sbom:\n    runs-on: ubuntu-latest\n    steps:\n    - uses: actions/checkout@v3\n    - uses: psastras/sbom-rs/actions/install-cargo-sbom@cargo-sbom-latest\n    - name: Run cargo-sbom\n      run: cargo-sbom --output-format=cyclone_dx_json_1_4\n```\n\n#### Check Dependencies against the Open Source Vulnerability Database (OSV)\n\nAssumming `osv-scanner` is installed (see [https://osv.dev/](https://osv.dev/))\n\n```shell\n$ cargo-sbom \u003e sbom.spdx.json\n$ osv-scanner --sbom=sbom.spdx.json\nScanned sbom.json as SPDX SBOM and found 91 packages\n╭─────────────────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────╮\n│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE    │\n├─────────────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────┤\n│ https://osv.dev/GHSA-wcg3-cvx6-7396 │ 6.2, │ crates.io │ time    │ 0.1.45  │ sbom.json │\n│ https://osv.dev/RUSTSEC-2020-0071   │ 6.2  │           │         │         │           │\n╰─────────────────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────╯\n```\n\n## Install\n\n### cargo-sbom\n\n`cargo-sbom` may be installed via `cargo`, [cargo-binstall](https://github.com/cargo-bins/cargo-binstall) or directly downloaded from the\ncorresponding Github release.\n\n#### Cargo\n\n```shell\ncargo install cargo-sbom\n```\n\n#### Cargo-binstall\n\n```shell\ncargo binstall cargo-sbom\n```\n\n#### Github Releases\n\nThe latest version is\n[continuously published and tagged](https://github.com/psastras/sbom-rs/releases).\n\nUsing `curl`,\n\n```shell\n# make sure to adjust the target and version (you may also want to pin to a specific version)\ncurl -sSL https://github.com/psastras/sbom-rs/releases/download/cargo-sbom-latest/cargo-sbom-x86_64-unknown-linux-gnu -o cargo-sbom\n```\n\n## Documentation\n\nSee each subproject for more detailed information:\n\n- `cargo-sbom`: CLI tool to produce an SBOM from a Cargo workspace.\n  See the [Rust documentation](https://docs.rs/cargo_sbom/).\n- `serde-cyclonedx`: Typesafe CycloneDX structures for serializing and deserializing\n  CycloneDX information using [serde](https://serde.rs/). See the\n  [Rust documentation](https://docs.rs/serde_cyclonedx/).\n- `serde-spdx`: Typesafe SPDX structures for serializing and deserializing\n  SPDX information using [serde](https://serde.rs/). See the\n  [Rust documentation](https://docs.rs/serde_spdx/).\n- `actions`: Github actions to use `cargo-sbom` and related tools in CI workflows See the [README.md](https://github.com/psastras/sbom-rs/tree/main/actions/README.md) for documentaiton.\n\n[Also check the examples.](https://github.com/psastras/sbom-rs/tree/main/examples)\n\n## Development\n\nBefore you begin, ensure the following programs are available on your machine:\n\n- [`cargo`](https://rustup.rs/)\n\nAssuming `cargo` is installed on your machine, the standard `cargo` commands can\nbe run to build and test all projects in the workspace:\n\n```shell\ncargo build\ncargo test\n```\n\nFor more information on specific configurations, refer to the\n[`cargo` documentation](https://doc.rust-lang.org/cargo).\n\n### Releasing\n\nTo release a new version (publish to crates.io), prefix the head commit with `release:` and update the relevant rust crate versions. Once merged into main the pipeline should pick up the change and publish a new version.\n\nLicense: MIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpsastras%2Fsbom-rs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpsastras%2Fsbom-rs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpsastras%2Fsbom-rs/lists"}