·
2 commits
to main
since this release
Release Notes
Added
- Cargo.lock v4 format stabilized in Rust 1.78 is now supported. ([#772]) Previously the SBOM would be generated but package hashes would not be recorded in presence of v4 lockfiles.
- The
component.authorfield is now set to comma-separated list of authors ([#770]). We'd like to usecomponent.authorsinstead once CycloneDX v1.6 is supported.
Install cargo-cyclonedx 0.5.7
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/CycloneDX/cyclonedx-rust-cargo/releases/download/cargo-cyclonedx-0.5.7/cargo-cyclonedx-installer.sh | shInstall prebuilt binaries via powershell script
powershell -c "irm https://github.com/CycloneDX/cyclonedx-rust-cargo/releases/download/cargo-cyclonedx-0.5.7/cargo-cyclonedx-installer.ps1 | iex"Download cargo-cyclonedx 0.5.7
| File | Platform | Checksum |
|---|---|---|
| cargo-cyclonedx-aarch64-apple-darwin.tar.xz | Apple Silicon macOS | checksum |
| cargo-cyclonedx-x86_64-apple-darwin.tar.xz | Intel macOS | checksum |
| cargo-cyclonedx-x86_64-pc-windows-msvc.zip | x64 Windows | checksum |
| cargo-cyclonedx-x86_64-unknown-linux-gnu.tar.xz | x64 Linux | checksum |
| cargo-cyclonedx-x86_64-unknown-linux-musl.tar.xz | x64 MUSL Linux | checksum |
Verifying GitHub Artifact Attestations
The artifacts in this release have attestations generated with GitHub Artifact Attestations. These can be verified by using the GitHub CLI:
gh attestation verify <file-path of downloaded artifact> --repo CycloneDX/cyclonedx-rust-cargoYou can also download the attestation from GitHub and verify against that directly:
gh attestation verify <file-path of downloaded artifact> --bundle <file-path of downloaded attestation>