Out of the box support for other formats

Question

Out of the box support for other formats

ctron opened this issue 2 years ago · 5 comments

Assuming I want to leverage the information generated by a built using cargo auditable, I can extract the information using the tool rust-audit-info. However, this uses the internal JSON format.

In order to make to work with other tools, I need to convert the information into another format, like CycloneDX's SBOM.

I could do this by piping the output of rust-audit-info into my own tool, and convert the format. But I think it would be nice to have:

A default translation between the internal format and other formats
An option to apply this translation using rust-audit-info

Answer 1 · 2023-01-10T12:26:39.000Z

I started to play with idea as part of a PoC: https://github.com/ctron/ktt

Answer 2 · 2023-01-10T12:55:02.000Z

rust-audit-info is deliberately minimal, but I would welcome other tools for working with the format. I'm happy to link to your tool from the README, etc.

That said, https://github.com/anchore/syft can convert this data to a variety of formats already, so implementing my own converter was not a priority.

Answer 3 · 2023-01-10T13:09:26.000Z

That is very kind, but I am not sure linking to this tool provides much value at the moment :)

I also completely understand the idea of keeping this crate minimal.

I also saw cargo audit, so maybe this would be a functionality which would be more suitable for something like cargo audit bin --sbom? So this is more like a discussion at the root level of the issue :)

One thing I already noticed is that some information is missing for other formats. Things like authors, licenses, descriptions, links, … but I guess this is something to discuss in another issue.

But having some translation functionality (not necessarily in rust-audit-info) might make this problem more transparent. And cargo auditable is the root source of this information.

Anyway, I am more exploring and looking for input than suggesting anything :)

Answer 4 · 2023-03-02T15:37:33.000Z

I'm going to close this as a work item for cargo auditable because https://github.com/anchore/syft already provides this today, but I'm happy to see more tools in this are and I'm happy to help if anyone ends up making them.

Answer 5 · 2024-02-29T03:23:20.000Z

I have written a native Rust converter from the cargo auditable format to CycloneDX. It can be used both as a CLI binary via auditable2cdx and as a library crate auditable-cyclonedx.