[Feature Request]: Add support for building BOMs from cargo build's --build-plan output

[platten]

Context:

I am working on the enarx project which supports different feature sets/dependency graphs based on which features and/or binary targets we are compiling for (e.g. for Windows/MacOS/AARCH64 we do not include the enarx-shim-sgx and enarx-shim-kvm binary-dependency subcrates from our workspace). One way to see the differences is on the dependencies used for the various targets/enabled features is to run cargo build -Z unstable-options --build-plan | jq '.inputs' which outputs a list of paths to the Cargo.toml used for building a binary.

Request:

I would recommend a mode for cargo cyclonedx which could take parameters that would be used when running cargo build (target, features, etc), use that to generate a build-plan, and use the inputs from that buildplan to construct a BOM.

Thoughts?

[amy-keibler]

Thank you for requesting this enhancement. I think the idea is worth investigating. From a brief review, I see that the tracking issue for the --build-plan option, links to a cargo issue that recommends removing the flag. I've subscribed to both issues to see if there is any progress on what would replace it.

Adding my initial thoughts below so they don't get lost when I have time to investigate this in more depth. Feel free to add follow-up thoughts or ask any questions

Ideally, with this change, cargo-cyclonedx would (in order of priority):

1. Behave correctly with as few required user inputs as possible
   • e.g. when compiling on windows, only include dependencies that are used in that compilation
   • Have a way to support different targets for cross-compilation
   • Have a way to support feature flags and other overrides that cargo enables during compilation
   • Consider if it makes sense to enable the user to generate a full BOM that includes a range of target compilations
2. Not depend on cargo features with uncertain futures
3. Work on stable releases of Rust / not require nightly

Other tools in this space to investigate for ideas

• cargo-guppy
• an RFC for rustc to embed dependency version into compiled binaries directly

[jadamcrain]

I've been doing something similar to create my own BOMs and license reports, namely use the types in cargo-metadata to parse the JSON output of the build.

I really like this approach because it is the "ground truth" of what is actually happening in the build.

One challenge is sorting through the artifacts that are build-only vs things that actually make it into the compiled binary. Many of these things are just dependencies to compile build.rs for dependencies of the main crate.

One thing that's great about this approach is that it respects cargo features. If I build with a subset of features, only the dependencies under that configuration go into the BOM.

[Shnatsel]

Build-plan is nightly-only, but I've added the ability to select the right features in #512 and the right target in #513, and also ported the tool to cargo metadata in #496 so that we won't diverge from Cargo's ground truth.