CycloneDX Rust (Cargo) Plugin
May 22, 2025 ยท View on GitHub
CycloneDX Rust (Cargo) Plugin
The CycloneDX module for Rust (Cargo) creates a valid CycloneDX Software Bill of Materials (SBOM) containing an aggregate of all project dependencies. OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard providing advanced supply chain capabilities for cyber risk reduction.
Structure
This repository contains two separate projects:
cyclonedx-bomis a Rust library to read and write CycloneDX SBOMs to and from Rust structs.cargo-cyclonedxis a Rust application, which generates CycloneDX SBOMs for Cargo based Rust projects (it usescyclonedx-bomfor that purpose).
Usage
Execute cargo-cyclonedx from within a Rust project directory containing Cargo.toml.
Installing
cargo install cargo-cyclonedx
Executing binary
~/.cargo/bin/cargo-cyclonedx cyclonedx
Executing from cargo
cargo cyclonedx
Security considerations
cargo-cyclonedx calls into Cargo internally to get information about a Rust project. Like nearly any other build system,
Cargo may run arbitrary code
when invoked on an untrusted project, so cargo-cyclonedx should not be called on untrusted projects either.
Some of the other tools for generating CycloneDX SBOMs do not invoke Cargo and only parse the Cargo.lock file.
However, the only way to generate the Cargo.lock file for them to scan is to invoke Cargo, so this issue is currently unavoidable for any tool that describes a Cargo project.
Contributing
Contributions are welcome.
See our CONTRIBUTING.md for details.
Copyright & License
CycloneDX Rust Cargo is Copyright (c) OWASP Foundation. All Rights Reserved.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the LICENSE file for the full license.