feat: implement RFC 3553 to add SBOM support (#13709)

### What does this PR try to resolve?

This PR is an implementation of [RFC 3553] to add support to generate
pre-cursor SBOM files for compiled artifacts in Cargo.

### How should we test and review this PR?

The [RFC 3553] adds a new option to Cargo to emit SBOM pre-cursor files.
A project can be configured either by the new Cargo config field `sbom`.

```toml
# .cargo/config.toml
[build]
sbom = true
```

or using the environment variable `CARGO_BUILD_SBOM=true`. The `sbom`
option is an unstable feature and requires the `-Zsbom` flag to enable
it.

Check out this branch & compile Cargo. Pick a Cargo project to test it
on, then run:

```
CARGO_BUILD_SBOM=true <path/to/compiled/cargo>/target/debug/cargo build -Zsbom
```

All generated `*.cargo-sbom.json` files are located in the `target`
folder alongside their artifacts. To list all generated files use:

```
find ./target -name "*.cargo-sbom.json"
```

then check their content. To see the current output format, see [these
examples](https://gist.github.com/justahero/2683f5520bf5e921c6b839a0e91cd01c).

### What does the PR not solve?

The PR leaves a task(s) open that are either out of scope or should be
done in a follow-up PRs.

* does not address #6313 (see
[comment](#13709 (comment)))

### Additional information

There are a few things that I would like to get feedback on, in
particular the generated JSON format is not final. Currently it holds
the information listed in the [RFC 3553], but it could be further
enriched with information only available during builds.

During the implementation a number of questions arose:

- [ ] Should the graph be packages or crates?
- The unit graph that the SBOM is based on is units. The current SBOM
graph is identical to the unit graph, with the run build script nodes
merged with building build scripts.
  - Artifact dependencies may impact this
- [ ] Which outputs should get SBOMs files?
- Currently: executables (including examples and tests), dylib, cdylib,
staticlib
- [ ] How do we refer to "normal" dependencies?
#13709 (comment)
- [ ] What case should we use?
#13709 (comment)
- [ ] Should this be `build.sbom` or `profile.*.sbom`
- [ ] Is sbom the right name for this?

Thanks @arlosi, @RobJellinghaus and @lfrancke for initial guidance &
feedback.

* RFC: #rust-lang/rfcs/pull/3553

[RFC 3553]: rust-lang/rfcs#3553

Author: epage

Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "cargo-test-support"
-version = "0.7.2"
+version = "0.7.3"
 edition.workspace = true
 rust-version = "1.85"  # MSRV:1
 license.workspace = true

crates/cargo-test-support/Cargo.toml

@@ -415,6 +415,16 @@ impl Project {
             .join(paths::get_lib_filename(name, kind))
     }
 
+    /// Path to a dynamic library.
+    /// ex: `/path/to/cargo/target/cit/t0/foo/target/debug/examples/libex.dylib`
+    pub fn dylib(&self, name: &str) -> PathBuf {
+        self.target_debug_dir().join(format!(
+            "{}{name}{}",
+            env::consts::DLL_PREFIX,
+            env::consts::DLL_SUFFIX
+        ))
+    }
+
     /// Path to a debug binary.
     ///
     /// ex: `$CARGO_TARGET_TMPDIR/cit/t0/foo/target/debug/foo`

crates/cargo-test-support/src/lib.rs

@@ -48,6 +48,8 @@ pub struct BuildConfig {
     pub future_incompat_report: bool,
     /// Which kinds of build timings to output (empty if none).
     pub timing_outputs: Vec<TimingOutput>,
+    /// Output SBOM precursor files.
+    pub sbom: bool,
 }
 
 fn default_parallelism() -> CargoResult<u32> {
@@ -99,6 +101,17 @@ impl BuildConfig {
             },
         };
 
+        // If sbom flag is set, it requires the unstable feature
+        let sbom = match (cfg.sbom, gctx.cli_unstable().sbom) {
+            (Some(sbom), true) => sbom,
+            (Some(_), false) => {
+                gctx.shell()
+                    .warn("ignoring 'sbom' config, pass `-Zsbom` to enable it")?;
+                false
+            }
+            (None, _) => false,
+        };
+
         Ok(BuildConfig {
             requested_kinds,
             jobs,
@@ -115,6 +128,7 @@ impl BuildConfig {
             export_dir: None,
             future_incompat_report: false,
             timing_outputs: Vec::new(),
+            sbom,
         })
     }
 

src/cargo/core/compiler/build_config.rs

@@ -72,6 +72,8 @@ pub enum FileFlavor {
     Rmeta,
     /// Piece of external debug information (e.g., `.dSYM`/`.pdb` file).
     DebugInfo,
+    /// SBOM (Software Bill of Materials pre-cursor) file (e.g. cargo-sbon.json).
+    Sbom,
 }
 
 /// Type of each file generated by a Unit.

src/cargo/core/compiler/build_context/target_info.rs

@@ -495,13 +495,37 @@ impl<'a, 'gctx: 'a> CompilationFiles<'a, 'gctx> {
             CompileMode::Test
             | CompileMode::Build
             | CompileMode::Bench
-            | CompileMode::Check { .. } => self.calc_outputs_rustc(unit, bcx)?,
+            | CompileMode::Check { .. } => {
+                let mut outputs = self.calc_outputs_rustc(unit, bcx)?;
+                if bcx.build_config.sbom && bcx.gctx.cli_unstable().sbom {
+                    let sbom_files: Vec<_> = outputs
+                        .iter()
+                        .filter(|o| matches!(o.flavor, FileFlavor::Normal | FileFlavor::Linkable))
+                        .map(|output| OutputFile {
+                            path: Self::append_sbom_suffix(&output.path),
+                            hardlink: output.hardlink.as_ref().map(Self::append_sbom_suffix),
+                            export_path: output.export_path.as_ref().map(Self::append_sbom_suffix),
+                            flavor: FileFlavor::Sbom,
+                        })
+                        .collect();
+                    outputs.extend(sbom_files.into_iter());
+                }
+                outputs
+            }
         };
         debug!("Target filenames: {:?}", ret);
 
         Ok(Arc::new(ret))
     }
 
+    /// Append the SBOM suffix to the file name.
+    fn append_sbom_suffix(link: &PathBuf) -> PathBuf {
+        const SBOM_FILE_EXTENSION: &str = ".cargo-sbom.json";
+        let mut link_buf = link.clone().into_os_string();
+        link_buf.push(SBOM_FILE_EXTENSION);
+        PathBuf::from(link_buf)
+    }
+
     /// Computes the actual, full pathnames for all the files generated by rustc.
     ///
     /// The `OutputFile` also contains the paths where those files should be

src/cargo/core/compiler/build_runner/compilation_files.rs

@@ -309,7 +309,10 @@ impl<'a, 'gctx> BuildRunner<'a, 'gctx> {
 
     fn collect_tests_and_executables(&mut self, unit: &Unit) -> CargoResult<()> {
         for output in self.outputs(unit)?.iter() {
-            if output.flavor == FileFlavor::DebugInfo || output.flavor == FileFlavor::Auxiliary {
+            if matches!(
+                output.flavor,
+                FileFlavor::DebugInfo | FileFlavor::Auxiliary | FileFlavor::Sbom
+            ) {
                 continue;
             }
 
@@ -446,6 +449,16 @@ impl<'a, 'gctx> BuildRunner<'a, 'gctx> {
         self.files().metadata(unit).unit_id()
     }
 
+    /// Returns the list of SBOM output file paths for a given [`Unit`].
+    pub fn sbom_output_files(&self, unit: &Unit) -> CargoResult<Vec<PathBuf>> {
+        Ok(self
+            .outputs(unit)?
+            .iter()
+            .filter(|o| o.flavor == FileFlavor::Sbom)
+            .map(|o| o.path.clone())
+            .collect())
+    }
+
     pub fn is_primary_package(&self, unit: &Unit) -> bool {
         self.primary_packages.contains(&unit.pkg.package_id())
     }

src/cargo/core/compiler/build_runner/mod.rs

@@ -1517,7 +1517,12 @@ fn calculate_normal(
     let outputs = build_runner
         .outputs(unit)?
         .iter()
-        .filter(|output| !matches!(output.flavor, FileFlavor::DebugInfo | FileFlavor::Auxiliary))
+        .filter(|output| {
+            !matches!(
+                output.flavor,
+                FileFlavor::DebugInfo | FileFlavor::Auxiliary | FileFlavor::Sbom
+            )
+        })
         .map(|output| output.path.clone())
         .collect();
 

src/cargo/core/compiler/fingerprint/mod.rs

@@ -47,6 +47,7 @@ pub(crate) mod layout;
 mod links;
 mod lto;
 mod output_depinfo;
+mod output_sbom;
 pub mod rustdoc;
 pub mod standard_lib;
 mod timings;
@@ -60,7 +61,7 @@ use std::env;
 use std::ffi::{OsStr, OsString};
 use std::fmt::Display;
 use std::fs::{self, File};
-use std::io::{BufRead, Write};
+use std::io::{BufRead, BufWriter, Write};
 use std::path::{Path, PathBuf};
 use std::sync::Arc;
 
@@ -85,6 +86,7 @@ use self::job_queue::{Job, JobQueue, JobState, Work};
 pub(crate) use self::layout::Layout;
 pub use self::lto::Lto;
 use self::output_depinfo::output_depinfo;
+use self::output_sbom::build_sbom;
 use self::unit_graph::UnitDep;
 use crate::core::compiler::future_incompat::FutureIncompatReport;
 pub use crate::core::compiler::unit::{Unit, UnitInterner};
@@ -307,6 +309,8 @@ fn rustc(
     let script_metadata = build_runner.find_build_script_metadata(unit);
     let is_local = unit.is_local();
     let artifact = unit.artifact;
+    let sbom_files = build_runner.sbom_output_files(unit)?;
+    let sbom = build_sbom(build_runner, unit)?;
 
     let hide_diagnostics_for_scrape_unit = build_runner.bcx.unit_can_fail_for_docscraping(unit)
         && !matches!(
@@ -392,6 +396,12 @@ fn rustc(
         if build_plan {
             state.build_plan(buildkey, rustc.clone(), outputs.clone());
         } else {
+            for file in sbom_files {
+                tracing::debug!("writing sbom to {}", file.display());
+                let outfile = BufWriter::new(paths::create(&file)?);
+                serde_json::to_writer(outfile, &sbom)?;
+            }
+
             let result = exec
                 .exec(
                     &rustc,
@@ -685,6 +695,7 @@ where
 /// completion of other units will be added later in runtime, such as flags
 /// from build scripts.
 fn prepare_rustc(build_runner: &BuildRunner<'_, '_>, unit: &Unit) -> CargoResult<ProcessBuilder> {
+    let gctx = build_runner.bcx.gctx;
     let is_primary = build_runner.is_primary_package(unit);
     let is_workspace = build_runner.bcx.ws.is_member(&unit.pkg);
 
@@ -700,7 +711,7 @@ fn prepare_rustc(build_runner: &BuildRunner<'_, '_>, unit: &Unit) -> CargoResult
         base.args(args);
     }
     base.args(&unit.rustflags);
-    if build_runner.bcx.gctx.cli_unstable().binary_dep_depinfo {
+    if gctx.cli_unstable().binary_dep_depinfo {
         base.arg("-Z").arg("binary-dep-depinfo");
     }
     if build_runner.bcx.gctx.cli_unstable().checksum_freshness {
@@ -709,6 +720,8 @@ fn prepare_rustc(build_runner: &BuildRunner<'_, '_>, unit: &Unit) -> CargoResult
 
     if is_primary {
         base.env("CARGO_PRIMARY_PACKAGE", "1");
+        let file_list = std::env::join_paths(build_runner.sbom_output_files(unit)?)?;
+        base.env("CARGO_SBOM_PATH", file_list);
     }
 
     if unit.target.is_test() || unit.target.is_bench() {

src/cargo/core/compiler/mod.rs

@@ -141,11 +141,12 @@ pub fn output_depinfo(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> Ca
         .map(|f| render_filename(f, basedir))
         .collect::<CargoResult<Vec<_>>>()?;
 
-    for output in build_runner
-        .outputs(unit)?
-        .iter()
-        .filter(|o| !matches!(o.flavor, FileFlavor::DebugInfo | FileFlavor::Auxiliary))
-    {
+    for output in build_runner.outputs(unit)?.iter().filter(|o| {
+        !matches!(
+            o.flavor,
+            FileFlavor::DebugInfo | FileFlavor::Auxiliary | FileFlavor::Sbom
+        )
+    }) {
         if let Some(ref link_dst) = output.hardlink {
             let output_path = link_dst.with_extension("d");
             if success {