feat: Add SBOM pre-cursor files

Adds a new option `build.sbom` that adds generation of a JSON file
containing dependency information alongside compiled artifacts.

Author: arlosi

Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "cargo-test-support"
-version = "0.7.2"
+version = "0.7.3"
 edition.workspace = true
 rust-version = "1.85"  # MSRV:1
 license.workspace = true

crates/cargo-test-support/Cargo.toml

@@ -415,6 +415,16 @@ impl Project {
             .join(paths::get_lib_filename(name, kind))
     }
 
+    /// Path to a dynamic library.
+    /// ex: `/path/to/cargo/target/cit/t0/foo/target/debug/examples/libex.dylib`
+    pub fn dylib(&self, name: &str) -> PathBuf {
+        self.target_debug_dir().join(format!(
+            "{}{name}{}",
+            env::consts::DLL_PREFIX,
+            env::consts::DLL_SUFFIX
+        ))
+    }
+
     /// Path to a debug binary.
     ///
     /// ex: `$CARGO_TARGET_TMPDIR/cit/t0/foo/target/debug/foo`

crates/cargo-test-support/src/lib.rs

@@ -48,6 +48,8 @@ pub struct BuildConfig {
     pub future_incompat_report: bool,
     /// Which kinds of build timings to output (empty if none).
     pub timing_outputs: Vec<TimingOutput>,
+    /// Output SBOM precursor files.
+    pub sbom: bool,
 }
 
 fn default_parallelism() -> CargoResult<u32> {
@@ -99,6 +101,17 @@ impl BuildConfig {
             },
         };
 
+        // If sbom flag is set, it requires the unstable feature
+        let sbom = match (cfg.sbom, gctx.cli_unstable().sbom) {
+            (Some(sbom), true) => sbom,
+            (Some(_), false) => {
+                gctx.shell()
+                    .warn("ignoring 'sbom' config, pass `-Zsbom` to enable it")?;
+                false
+            }
+            (None, _) => false,
+        };
+
         Ok(BuildConfig {
             requested_kinds,
             jobs,
@@ -115,6 +128,7 @@ impl BuildConfig {
             export_dir: None,
             future_incompat_report: false,
             timing_outputs: Vec::new(),
+            sbom,
         })
     }
 

src/cargo/core/compiler/build_config.rs

@@ -72,6 +72,8 @@ pub enum FileFlavor {
     Rmeta,
     /// Piece of external debug information (e.g., `.dSYM`/`.pdb` file).
     DebugInfo,
+    /// SBOM (Software Bill of Materials pre-cursor) file (e.g. cargo-sbon.json).
+    Sbom,
 }
 
 /// Type of each file generated by a Unit.

src/cargo/core/compiler/build_context/target_info.rs

@@ -495,13 +495,37 @@ impl<'a, 'gctx: 'a> CompilationFiles<'a, 'gctx> {
             CompileMode::Test
             | CompileMode::Build
             | CompileMode::Bench
-            | CompileMode::Check { .. } => self.calc_outputs_rustc(unit, bcx)?,
+            | CompileMode::Check { .. } => {
+                let mut outputs = self.calc_outputs_rustc(unit, bcx)?;
+                if bcx.build_config.sbom && bcx.gctx.cli_unstable().sbom {
+                    let sbom_files: Vec<_> = outputs
+                        .iter()
+                        .filter(|o| matches!(o.flavor, FileFlavor::Normal | FileFlavor::Linkable))
+                        .map(|output| OutputFile {
+                            path: Self::append_sbom_suffix(&output.path),
+                            hardlink: output.hardlink.as_ref().map(Self::append_sbom_suffix),
+                            export_path: output.export_path.as_ref().map(Self::append_sbom_suffix),
+                            flavor: FileFlavor::Sbom,
+                        })
+                        .collect();
+                    outputs.extend(sbom_files.into_iter());
+                }
+                outputs
+            }
         };
         debug!("Target filenames: {:?}", ret);
 
         Ok(Arc::new(ret))
     }
 
+    /// Append the SBOM suffix to the file name.
+    fn append_sbom_suffix(link: &PathBuf) -> PathBuf {
+        const SBOM_FILE_EXTENSION: &str = ".cargo-sbom.json";
+        let mut link_buf = link.clone().into_os_string();
+        link_buf.push(SBOM_FILE_EXTENSION);
+        PathBuf::from(link_buf)
+    }
+
     /// Computes the actual, full pathnames for all the files generated by rustc.
     ///
     /// The `OutputFile` also contains the paths where those files should be

src/cargo/core/compiler/build_runner/compilation_files.rs

@@ -309,7 +309,10 @@ impl<'a, 'gctx> BuildRunner<'a, 'gctx> {
 
     fn collect_tests_and_executables(&mut self, unit: &Unit) -> CargoResult<()> {
         for output in self.outputs(unit)?.iter() {
-            if output.flavor == FileFlavor::DebugInfo || output.flavor == FileFlavor::Auxiliary {
+            if matches!(
+                output.flavor,
+                FileFlavor::DebugInfo | FileFlavor::Auxiliary | FileFlavor::Sbom
+            ) {
                 continue;
             }
 
@@ -446,6 +449,16 @@ impl<'a, 'gctx> BuildRunner<'a, 'gctx> {
         self.files().metadata(unit).unit_id()
     }
 
+    /// Returns the list of SBOM output file paths for a given [`Unit`].
+    pub fn sbom_output_files(&self, unit: &Unit) -> CargoResult<Vec<PathBuf>> {
+        Ok(self
+            .outputs(unit)?
+            .iter()
+            .filter(|o| o.flavor == FileFlavor::Sbom)
+            .map(|o| o.path.clone())
+            .collect())
+    }
+
     pub fn is_primary_package(&self, unit: &Unit) -> bool {
         self.primary_packages.contains(&unit.pkg.package_id())
     }

src/cargo/core/compiler/build_runner/mod.rs

@@ -1517,7 +1517,12 @@ fn calculate_normal(
     let outputs = build_runner
         .outputs(unit)?
         .iter()
-        .filter(|output| !matches!(output.flavor, FileFlavor::DebugInfo | FileFlavor::Auxiliary))
+        .filter(|output| {
+            !matches!(
+                output.flavor,
+                FileFlavor::DebugInfo | FileFlavor::Auxiliary | FileFlavor::Sbom
+            )
+        })
         .map(|output| output.path.clone())
         .collect();
 

src/cargo/core/compiler/fingerprint/mod.rs

@@ -47,6 +47,7 @@ pub(crate) mod layout;
 mod links;
 mod lto;
 mod output_depinfo;
+mod output_sbom;
 pub mod rustdoc;
 pub mod standard_lib;
 mod timings;
@@ -60,7 +61,7 @@ use std::env;
 use std::ffi::{OsStr, OsString};
 use std::fmt::Display;
 use std::fs::{self, File};
-use std::io::{BufRead, Write};
+use std::io::{BufRead, BufWriter, Write};
 use std::path::{Path, PathBuf};
 use std::sync::Arc;
 
@@ -85,6 +86,7 @@ use self::job_queue::{Job, JobQueue, JobState, Work};
 pub(crate) use self::layout::Layout;
 pub use self::lto::Lto;
 use self::output_depinfo::output_depinfo;
+use self::output_sbom::build_sbom;
 use self::unit_graph::UnitDep;
 use crate::core::compiler::future_incompat::FutureIncompatReport;
 pub use crate::core::compiler::unit::{Unit, UnitInterner};
@@ -307,6 +309,8 @@ fn rustc(
     let script_metadata = build_runner.find_build_script_metadata(unit);
     let is_local = unit.is_local();
     let artifact = unit.artifact;
+    let sbom_files = build_runner.sbom_output_files(unit)?;
+    let sbom = build_sbom(build_runner, unit)?;
 
     let hide_diagnostics_for_scrape_unit = build_runner.bcx.unit_can_fail_for_docscraping(unit)
         && !matches!(
@@ -392,6 +396,12 @@ fn rustc(
         if build_plan {
             state.build_plan(buildkey, rustc.clone(), outputs.clone());
         } else {
+            for file in sbom_files {
+                tracing::debug!("writing sbom to {}", file.display());
+                let outfile = BufWriter::new(paths::create(&file)?);
+                serde_json::to_writer(outfile, &sbom)?;
+            }
+
             let result = exec
                 .exec(
                     &rustc,
@@ -685,6 +695,7 @@ where
 /// completion of other units will be added later in runtime, such as flags
 /// from build scripts.
 fn prepare_rustc(build_runner: &BuildRunner<'_, '_>, unit: &Unit) -> CargoResult<ProcessBuilder> {
+    let gctx = build_runner.bcx.gctx;
     let is_primary = build_runner.is_primary_package(unit);
     let is_workspace = build_runner.bcx.ws.is_member(&unit.pkg);
 
@@ -700,7 +711,7 @@ fn prepare_rustc(build_runner: &BuildRunner<'_, '_>, unit: &Unit) -> CargoResult
         base.args(args);
     }
     base.args(&unit.rustflags);
-    if build_runner.bcx.gctx.cli_unstable().binary_dep_depinfo {
+    if gctx.cli_unstable().binary_dep_depinfo {
         base.arg("-Z").arg("binary-dep-depinfo");
     }
     if build_runner.bcx.gctx.cli_unstable().checksum_freshness {
@@ -709,6 +720,8 @@ fn prepare_rustc(build_runner: &BuildRunner<'_, '_>, unit: &Unit) -> CargoResult
 
     if is_primary {
         base.env("CARGO_PRIMARY_PACKAGE", "1");
+        let file_list = std::env::join_paths(build_runner.sbom_output_files(unit)?)?;
+        base.env("CARGO_SBOM_PATH", file_list);
     }
 
     if unit.target.is_test() || unit.target.is_bench() {

src/cargo/core/compiler/mod.rs

@@ -141,11 +141,12 @@ pub fn output_depinfo(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> Ca
         .map(|f| render_filename(f, basedir))
         .collect::<CargoResult<Vec<_>>>()?;
 
-    for output in build_runner
-        .outputs(unit)?
-        .iter()
-        .filter(|o| !matches!(o.flavor, FileFlavor::DebugInfo | FileFlavor::Auxiliary))
-    {
+    for output in build_runner.outputs(unit)?.iter().filter(|o| {
+        !matches!(
+            o.flavor,
+            FileFlavor::DebugInfo | FileFlavor::Auxiliary | FileFlavor::Sbom
+        )
+    }) {
         if let Some(ref link_dst) = output.hardlink {
             let output_path = link_dst.with_extension("d");
             if success {