You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A rust build can produce various artifacts in the /target folders.
The SBOMs might have different names (e.g. bom.xml or the name of the package) and it's not trivial (without parsing the SBOMs) to automatically map/match the artifact to the SBOM in question.
A second, related issue (I can split it into a separate issue) is that the metadata -> component -> name might be an "internal artifact" and not the name of the actual final product as used in the outside world (e.g. vulnerabilities might be filed against the "official" name or the "binary" name but not the package/crate name).
The "correct" name might be available as a subcomponent of metadata -> component but it's not obvious to tools which the actual thing is we're talking about (e.g. a vulnerabilty might exist in a binary but not in the library).
The only thing I can think of is to actually do create a separate SBOM file per generated artifact. That is overhead and duplication but I don't see a better way of doing this.
This was my attempt at doing this in the past and it might still be what I need: #441
The text was updated successfully, but these errors were encountered:
A rust build can produce various artifacts in the
/targetfolders.The SBOMs might have different names (e.g.
bom.xmlor the name of the package) and it's not trivial (without parsing the SBOMs) to automatically map/match the artifact to the SBOM in question.A second, related issue (I can split it into a separate issue) is that the
metadata -> component -> namemight be an "internal artifact" and not the name of the actual final product as used in the outside world (e.g. vulnerabilities might be filed against the "official" name or the "binary" name but not the package/crate name).The "correct" name might be available as a subcomponent of
metadata -> componentbut it's not obvious to tools which the actual thing is we're talking about (e.g. a vulnerabilty might exist in a binary but not in the library).The only thing I can think of is to actually do create a separate SBOM file per generated artifact. That is overhead and duplication but I don't see a better way of doing this.
This was my attempt at doing this in the past and it might still be what I need: #441
The text was updated successfully, but these errors were encountered: