feat: Add cargoaudit extractor to artifacts (#1770)

another-rex · web-flow · commit a22536cd606a · 2025-04-01T11:19:28.000+11:00
Enable the cargoaudit extractor in container scanning
diff --git a/docs/supported_languages_and_lockfiles.md b/docs/supported_languages_and_lockfiles.md
@@ -30,15 +30,16 @@ We found that when performing different forms of scanning, you are generally int
 
 When scanning container images (`osv-scanner scan image ...`), OSV-Scanner automatically extracts and analyzes the following artifacts:
 
-| Source                          | Example files                      |
-| ------------------------------- | ---------------------------------- |
-| Alpine APK packages             | `/lib/apk/db/installed`            |
-| Debian/Ubuntu dpkg/apt packages | `/var/lib/dpkg/status`             |
-|                                 |                                    |
-| Go Binaries                     | `main-go`                          |
-| Java Uber `jars`                | `my-java-app.jar`                  |
-| Node Modules                    | `node-app/node_modules/...`        |
-| Python wheels                   | `lib/python3.11/site-packages/...` |
+| Source                               | Example files                      |
+| ------------------------------------ | ---------------------------------- |
+| Alpine APK packages                  | `/lib/apk/db/installed`            |
+| Debian/Ubuntu dpkg/apt packages      | `/var/lib/dpkg/status`             |
+|                                      |                                    |
+| Go Binaries                          | `main-go`                          |
+| Rust Binaries (with cargo-auditable) | `main-rust-built-with-auditable`   |
+| Java Uber `jars`                     | `my-java-app.jar`                  |
+| Node Modules                         | `node-app/node_modules/...`        |
+| Python wheels                        | `lib/python3.11/site-packages/...` |
 
 ## Supported lockfiles/manifests
 
diff --git a/pkg/osvscanner/internal/scanners/extractorbuilder.go b/pkg/osvscanner/internal/scanners/extractorbuilder.go
@@ -32,6 +32,7 @@ import (
 	"github.com/google/osv-scalibr/extractor/filesystem/language/python/wheelegg"
 	"github.com/google/osv-scalibr/extractor/filesystem/language/r/renvlock"
 	"github.com/google/osv-scalibr/extractor/filesystem/language/ruby/gemfilelock"
+	"github.com/google/osv-scalibr/extractor/filesystem/language/rust/cargoauditable"
 	"github.com/google/osv-scalibr/extractor/filesystem/language/rust/cargolock"
 	"github.com/google/osv-scalibr/extractor/filesystem/os/apk"
 	"github.com/google/osv-scalibr/extractor/filesystem/os/dpkg"
@@ -177,6 +178,8 @@ func BuildArtifactExtractors() []filesystem.Extractor {
 		gobinary.New(gobinary.DefaultConfig()),
 		// Javascript
 		nodemodules.Extractor{},
+		// Rust
+		cargoauditable.NewDefault(),
 
 		// --- OS packages ---
 		// Alpine
