Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document security considerations in the cargo-cyclonedx README #780

Merged
merged 1 commit into from
Mar 5, 2025
Merged

Document security considerations in the cargo-cyclonedx README #780

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions cargo-cyclonedx/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,15 @@ By contrast, `cargo cyclonedx` sources data both from `Cargo.lock` and from [`ca
- Omit dev-dependencies, which cannot affect the final executable
- Record additional fields such as the license for every component

## Security considerations

`cargo-cyclonedx` calls into Cargo internally to get information about a Rust project. Like nearly any other build system,
Cargo [may run arbitrary code](https://shnatsel.medium.com/do-not-run-any-cargo-commands-on-untrusted-projects-4c31c89a78d6)
when invoked on an untrusted project, so `cargo-cyclonedx` should not be called on untrusted projects either.

Some of the other tools for generating CycloneDX SBOMs do not invoke Cargo and only parse the `Cargo.lock` file.
However, the only way to generate the `Cargo.lock` file for them to scan is to invoke Cargo, so this issue is currently unavoidable for any tool that describes a Cargo project.

## Contributing

See [CONTRIBUTING](../CONTRIBUTING.md) for details.
Expand Down
Loading