feat: Add SBOM pre-cursor files

Adds a new option `build.sbom` that adds generation of a JSON file
containing dependency information alongside compiled artifacts.

Author: arlosi

Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "cargo-test-support"
-version = "0.7.2"
+version = "0.7.3"
 edition.workspace = true
 rust-version = "1.85"  # MSRV:1
 license.workspace = true

crates/cargo-test-support/Cargo.toml

@@ -415,6 +415,16 @@ impl Project {
             .join(paths::get_lib_filename(name, kind))
     }
 
+    /// Path to a dynamic library.
+    /// ex: `/path/to/cargo/target/cit/t0/foo/target/debug/examples/libex.dylib`
+    pub fn dylib(&self, name: &str) -> PathBuf {
+        self.target_debug_dir().join(format!(
+            "{}{name}{}",
+            env::consts::DLL_PREFIX,
+            env::consts::DLL_SUFFIX
+        ))
+    }
+
     /// Path to a debug binary.
     ///
     /// ex: `$CARGO_TARGET_TMPDIR/cit/t0/foo/target/debug/foo`

crates/cargo-test-support/src/lib.rs

@@ -48,6 +48,8 @@ pub struct BuildConfig {
     pub future_incompat_report: bool,
     /// Which kinds of build timings to output (empty if none).
     pub timing_outputs: Vec<TimingOutput>,
+    /// Output SBOM precursor files.
+    pub sbom: bool,
 }
 
 fn default_parallelism() -> CargoResult<u32> {
@@ -99,6 +101,17 @@ impl BuildConfig {
             },
         };
 
+        // If sbom flag is set, it requires the unstable feature
+        let sbom = match (cfg.sbom, gctx.cli_unstable().sbom) {
+            (Some(sbom), true) => sbom,
+            (Some(_), false) => {
+                gctx.shell()
+                    .warn("ignoring 'sbom' config, pass `-Zsbom` to enable it")?;
+                false
+            }
+            (None, _) => false,
+        };
+
         Ok(BuildConfig {
             requested_kinds,
             jobs,
@@ -115,6 +128,7 @@ impl BuildConfig {
             export_dir: None,
             future_incompat_report: false,
             timing_outputs: Vec::new(),
+            sbom,
         })
     }
 

src/cargo/core/compiler/build_config.rs

@@ -1,6 +1,7 @@
 //! [`BuildRunner`] is the mutable state used during the build process.
 
 use std::collections::{BTreeSet, HashMap, HashSet};
+use std::io::BufWriter;
 use std::path::{Path, PathBuf};
 use std::sync::{Arc, Mutex};
 
@@ -10,6 +11,7 @@ use crate::core::PackageId;
 use crate::util::cache_lock::CacheLockMode;
 use crate::util::errors::CargoResult;
 use anyhow::{bail, Context as _};
+use cargo_util::paths;
 use filetime::FileTime;
 use itertools::Itertools;
 use jobserver::Client;
@@ -291,6 +293,14 @@ impl<'a, 'gctx> BuildRunner<'a, 'gctx> {
             }
 
             super::output_depinfo(&mut self, unit)?;
+
+            if self.bcx.build_config.sbom {
+                let sbom = super::build_sbom(&mut self, unit)?;
+                for sbom_output_file in self.sbom_output_files(unit)? {
+                    let outfile = BufWriter::new(paths::create(sbom_output_file)?);
+                    serde_json::to_writer(outfile, &sbom)?;
+                }
+            }
         }
 
         for (script_meta, output) in self.build_script_outputs.lock().unwrap().iter() {
@@ -446,6 +456,33 @@ impl<'a, 'gctx> BuildRunner<'a, 'gctx> {
         self.files().metadata(unit).unit_id()
     }
 
+    /// Returns the list of SBOM output file paths for a given [`Unit`].
+    pub fn sbom_output_files(&self, unit: &Unit) -> CargoResult<Vec<PathBuf>> {
+        let mut sbom_files = Vec::new();
+        if !self.bcx.build_config.sbom || !self.bcx.gctx.cli_unstable().sbom {
+            return Ok(sbom_files);
+        }
+        for output in self.outputs(unit)?.iter() {
+            if matches!(output.flavor, FileFlavor::Normal | FileFlavor::Linkable) {
+                if let Some(path) = &output.hardlink {
+                    sbom_files.push(Self::append_sbom_suffix(path));
+                }
+                if let Some(path) = &output.export_path {
+                    sbom_files.push(Self::append_sbom_suffix(path));
+                }
+            }
+        }
+        Ok(sbom_files)
+    }
+
+    /// Append the SBOM suffix to the file name.
+    fn append_sbom_suffix(link: &PathBuf) -> PathBuf {
+        const SBOM_FILE_EXTENSION: &str = ".cargo-sbom.json";
+        let mut link_buf = link.clone().into_os_string();
+        link_buf.push(SBOM_FILE_EXTENSION);
+        PathBuf::from(link_buf)
+    }
+
     pub fn is_primary_package(&self, unit: &Unit) -> bool {
         self.primary_packages.contains(&unit.pkg.package_id())
     }

src/cargo/core/compiler/build_runner/mod.rs

@@ -47,6 +47,7 @@ pub(crate) mod layout;
 mod links;
 mod lto;
 mod output_depinfo;
+mod output_sbom;
 pub mod rustdoc;
 pub mod standard_lib;
 mod timings;
@@ -60,7 +61,7 @@ use std::env;
 use std::ffi::{OsStr, OsString};
 use std::fmt::Display;
 use std::fs::{self, File};
-use std::io::{BufRead, Write};
+use std::io::{BufRead, BufWriter, Write};
 use std::path::{Path, PathBuf};
 use std::sync::Arc;
 
@@ -85,6 +86,7 @@ use self::job_queue::{Job, JobQueue, JobState, Work};
 pub(crate) use self::layout::Layout;
 pub use self::lto::Lto;
 use self::output_depinfo::output_depinfo;
+use self::output_sbom::build_sbom;
 use self::unit_graph::UnitDep;
 use crate::core::compiler::future_incompat::FutureIncompatReport;
 pub use crate::core::compiler::unit::{Unit, UnitInterner};
@@ -307,6 +309,8 @@ fn rustc(
     let script_metadata = build_runner.find_build_script_metadata(unit);
     let is_local = unit.is_local();
     let artifact = unit.artifact;
+    let sbom_files = build_runner.sbom_output_files(unit)?;
+    let sbom = build_sbom(build_runner, unit)?;
 
     let hide_diagnostics_for_scrape_unit = build_runner.bcx.unit_can_fail_for_docscraping(unit)
         && !matches!(
@@ -392,6 +396,12 @@ fn rustc(
         if build_plan {
             state.build_plan(buildkey, rustc.clone(), outputs.clone());
         } else {
+            for file in sbom_files {
+                tracing::debug!("writing sbom to {}", file.display());
+                let outfile = BufWriter::new(paths::create(&file)?);
+                serde_json::to_writer(outfile, &sbom)?;
+            }
+
             let result = exec
                 .exec(
                     &rustc,
@@ -685,6 +695,7 @@ where
 /// completion of other units will be added later in runtime, such as flags
 /// from build scripts.
 fn prepare_rustc(build_runner: &BuildRunner<'_, '_>, unit: &Unit) -> CargoResult<ProcessBuilder> {
+    let gctx = build_runner.bcx.gctx;
     let is_primary = build_runner.is_primary_package(unit);
     let is_workspace = build_runner.bcx.ws.is_member(&unit.pkg);
 
@@ -700,7 +711,7 @@ fn prepare_rustc(build_runner: &BuildRunner<'_, '_>, unit: &Unit) -> CargoResult
         base.args(args);
     }
     base.args(&unit.rustflags);
-    if build_runner.bcx.gctx.cli_unstable().binary_dep_depinfo {
+    if gctx.cli_unstable().binary_dep_depinfo {
         base.arg("-Z").arg("binary-dep-depinfo");
     }
     if build_runner.bcx.gctx.cli_unstable().checksum_freshness {
@@ -709,6 +720,8 @@ fn prepare_rustc(build_runner: &BuildRunner<'_, '_>, unit: &Unit) -> CargoResult
 
     if is_primary {
         base.env("CARGO_PRIMARY_PACKAGE", "1");
+        let file_list = std::env::join_paths(build_runner.sbom_output_files(unit)?)?;
+        base.env("CARGO_SBOM_PATH", file_list);
     }
 
     if unit.target.is_test() || unit.target.is_bench() {

src/cargo/core/compiler/mod.rs

@@ -0,0 +1,192 @@
+//! cargo-sbom precursor files for external tools to create SBOM files from.
+//! See [`build_sbom_graph`] for more.
+
+use std::collections::{BTreeMap, BTreeSet, HashMap, HashSet};
+use std::path::PathBuf;
+
+use cargo_util_schemas::core::PackageIdSpec;
+use itertools::Itertools;
+use serde::Serialize;
+
+use crate::core::TargetKind;
+use crate::util::interning::InternedString;
+use crate::util::Rustc;
+use crate::CargoResult;
+
+use super::{BuildOutput, CompileMode};
+use super::{BuildRunner, Unit};
+
+/// Typed version of a SBOM format version number.
+#[derive(Serialize, Copy, Clone, Debug, Ord, PartialOrd, Eq, PartialEq)]
+pub struct SbomFormatVersion(u32);
+
+#[derive(Debug, Copy, Clone, PartialEq, PartialOrd, Eq, Ord, Serialize)]
+#[serde(rename_all = "snake_case")]
+enum SbomDependencyType {
+    /// A dependency linked to the artifact produced by this unit.
+    Normal,
+    /// A dependency needed to run the build for this unit (e.g. a build script or proc-macro).
+    /// The dependency is not linked to the artifact produced by this unit.
+    Build,
+}
+
+#[derive(Serialize, Copy, Clone, Debug, Ord, PartialOrd, Eq, PartialEq)]
+struct SbomIndex(usize);
+
+#[derive(Serialize, Clone, Debug)]
+#[serde(rename_all = "snake_case")]
+struct SbomDependency {
+    index: SbomIndex,
+    kind: SbomDependencyType,
+}
+
+#[derive(Serialize, Clone, Debug)]
+#[serde(rename_all = "snake_case")]
+struct SbomPackage {
+    id: PackageIdSpec,
+    features: Vec<String>,
+    cfgs: Vec<String>,
+    dependencies: Vec<SbomDependency>,
+    kind: TargetKind,
+}
+
+impl SbomPackage {
+    pub fn new(unit: &Unit, build_script_output: Option<&BuildOutput>) -> Self {
+        let package_id = unit.pkg.package_id().to_spec();
+        let features = unit.features.iter().map(|f| f.to_string()).collect_vec();
+        let cfgs = build_script_output
+            .map(|b| b.cfgs.clone())
+            .unwrap_or_default();
+        Self {
+            id: package_id,
+            features,
+            cfgs,
+            dependencies: Vec::new(),
+            kind: unit.target.kind().clone(),
+        }
+    }
+}
+
+#[derive(Serialize, Clone)]
+#[serde(rename_all = "snake_case")]
+struct SbomRustc {
+    version: String,
+    wrapper: Option<PathBuf>,
+    workspace_wrapper: Option<PathBuf>,
+    commit_hash: Option<String>,
+    host: String,
+    verbose_version: String,
+}
+
+impl From<&Rustc> for SbomRustc {
+    fn from(rustc: &Rustc) -> Self {
+        Self {
+            version: rustc.version.to_string(),
+            wrapper: rustc.wrapper.clone(),
+            workspace_wrapper: rustc.workspace_wrapper.clone(),
+            commit_hash: rustc.commit_hash.clone(),
+            host: rustc.host.to_string(),
+            verbose_version: rustc.verbose_version.clone(),
+        }
+    }
+}
+
+#[derive(Serialize)]
+#[serde(rename_all = "snake_case")]
+pub struct Sbom {
+    version: SbomFormatVersion,
+    root: SbomIndex,
+    packages: Vec<SbomPackage>,
+    rustc: SbomRustc,
+    target: InternedString,
+}
+
+/// Build an [`Sbom`] for the given [`Unit`].
+pub fn build_sbom(build_runner: &BuildRunner<'_, '_>, root: &Unit) -> CargoResult<Sbom> {
+    let bcx = build_runner.bcx;
+    let rustc: SbomRustc = bcx.rustc().into();
+
+    let mut packages = Vec::new();
+    let build_script_outputs = build_runner.build_script_outputs.lock().unwrap();
+    let sbom_graph = build_sbom_graph(build_runner, root);
+
+    // Build set of indicies for each node in the graph for fast lookup.
+    let indicies: HashMap<&Unit, SbomIndex> = sbom_graph
+        .keys()
+        .enumerate()
+        .map(|(i, dep)| (*dep, SbomIndex(i)))
+        .collect();
+
+    // Add a item to the packages list for each node in the graph.
+    for (unit, edges) in sbom_graph {
+        let build_script_output = build_runner
+            .find_build_script_metadata(unit)
+            .and_then(|meta| build_script_outputs.get(meta));
+        let mut package = SbomPackage::new(unit, build_script_output);
+        for (dep, kind) in edges {
+            package.dependencies.push(SbomDependency {
+                index: indicies[dep],
+                kind: kind,
+            });
+        }
+        packages.push(package);
+    }
+    let target = match root.kind {
+        super::CompileKind::Host => build_runner.bcx.host_triple(),
+        super::CompileKind::Target(target) => target.rustc_target(),
+    };
+    Ok(Sbom {
+        version: SbomFormatVersion(1),
+        packages,
+        root: indicies[root],
+        rustc,
+        target,
+    })
+}
+
+/// List all dependencies, including transitive ones. A dependency can also appear multiple times
+/// if it's using different settings, e.g. profile, features or crate versions.
+///
+/// Returns a graph of dependencies.
+fn build_sbom_graph<'a>(
+    build_runner: &'a BuildRunner<'_, '_>,
+    root: &'a Unit,
+) -> BTreeMap<&'a Unit, BTreeSet<(&'a Unit, SbomDependencyType)>> {
+    tracing::trace!("building sbom graph for {}", root.pkg.package_id());
+
+    let mut queue = Vec::new();
+    let mut sbom_graph: BTreeMap<&Unit, BTreeSet<(&Unit, SbomDependencyType)>> = BTreeMap::new();
+    let mut visited = HashSet::new();
+
+    // Search to collect all dependencies of the root unit.
+    queue.push((root, root, false));
+    while let Some((node, parent, is_build_dep)) = queue.pop() {
+        let dependencies = sbom_graph.entry(parent).or_default();
+        for dep in build_runner.unit_deps(node) {
+            let dep = &dep.unit;
+            let (next_parent, next_is_build_dep) = if dep.mode == CompileMode::RunCustomBuild
+            {
+                // Nodes in the SBOM graph for building/running build scripts are moved on to their parent as build dependencies.
+                (parent, true)
+            } else {
+                // Proc-macros and build scripts are marked as build dependencies.
+                let dep_type = match is_build_dep || dep.target.proc_macro() {
+                    false => SbomDependencyType::Normal,
+                    true => SbomDependencyType::Build,
+                };
+                dependencies.insert((dep, dep_type));
+                tracing::trace!(
+                    "adding sbom edge {} -> {} ({:?})",
+                    parent.pkg.package_id(),
+                    dep.pkg.package_id(),
+                    dep_type,
+                );
+                (dep, false)
+            };
+            if visited.insert(dep) {
+                queue.push((dep, next_parent, next_is_build_dep));
+            }
+        }
+    }
+    sbom_graph
+}