Add BOM Support about cargo HOT 5 CLOSED

@dmikusa-pivotal do you have a particular architecture in mind for this? Assuming we want to conform to the most recent SBOM RFC then we'd want to support both CycloneDX and SPDX.

CycloneDX has a rust cargo module: https://github.com/CycloneDX/cyclonedx-rust-cargo, which could be pre-built and provided by a new buildpack (probably called something like "cyclonedz-rust-cargo" and then the binary invoked in this buildpack. Alternatively I wonder if we could leverage #21 once implemented to install cyclonedx in this buildpack and skip the intermediate buildpack? I haven't fully thought through the implications of this second option, though.

from cargo.

I'm torn on this one.

On one hand, that tool looks nice. It's written by someone at OSWAP and seems to be actively maintained, at least at the moment. On the other hand, we still need a tool for SPDX (I didn't look to see if there's a reliably maintained tool that we could use for that). It's also more dependencies that we have to manage & install into the container.

On the other hand, I'm also thinking that this isn't too complicated of a problem to solve so the buildpack could implement it natively. Then we don't have to manage any dependencies/worry about how to install them into the container. It's also easier to test when you're not calling external commands.

Plus, getting the information from cargo isn't terribly difficult. We're already doing this for a couple of reasons, here's where we get the metadata, and we can use that plugin as an example for how to fetch the information from Cargo metadata.

Again, I haven't looked, but I'm hoping there are Go libraries for writing to SPDX and CycloneDX. That would make it all pretty easy to capture, write out the data, and ensure that we get compatible formatted files output.

@robdimsdale What are your thoughts? How are other language teams handling this?

from cargo.

If your RFC for Syft gets approved then I'd imagine we would want to explore that option? Although it looks like it doesn't yet support Rust, so we'd probably want to see if we can add Rust support to Syft.

from cargo.

Yes, Stephen shared that tool with me shortly after I wrote the note above. I definitely thing Syft is a strong contender. I didn't see support on their website, but when I ran the tool against some Rust apps it worked. There was also a PR that got merged a while back for Rust support, so I think it works they just don't mention it specifically, which is weird.

from cargo.

Oh, if it works then maybe it's just a matter of documenting that support on the README.

from cargo.