Initial implementation of cargo-sbom detector

arlosi · arlosi · commit 72100557acb2 · 2025-04-23T17:12:57.000-05:00
diff --git a/src/Microsoft.ComponentDetection.Detectors/rust/Contracts/CargoSbom.cs b/src/Microsoft.ComponentDetection.Detectors/rust/Contracts/CargoSbom.cs
@@ -0,0 +1,178 @@
+// Schema for Cargo SBOM pre-cursor files (*.cargo-sbom.json)
+
+namespace Microsoft.ComponentDetection.Detectors.Rust.Sbom.Contracts;
+
+using System;
+using System.Collections.Generic;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+
+#pragma warning disable SA1402
+#pragma warning disable SA1204
+
+/// <summary>
+/// Type of dependency.
+/// </summary>
+public enum SbomKind
+{
+    /// <summary>
+    /// A dependency linked to the artifact produced by this crate.
+    /// </summary>
+    Normal,
+
+    /// <summary>
+    /// A compile-time dependency used to build this crate.
+    /// </summary>
+    Build,
+
+    /// <summary>
+    /// An unexpected dependency kind.
+    /// </summary>
+    Unknown,
+}
+
+/// <summary>
+/// Represents the Cargo Software Bill of Materials (SBOM).
+/// </summary>
+public class CargoSbom
+{
+    /// <summary>
+    /// Gets or sets the version of the SBOM.
+    /// </summary>
+    public int Version { get; set; }
+
+    /// <summary>
+    /// Gets or sets the index of the root crate.
+    /// </summary>
+    public int Root { get; set; }
+
+    /// <summary>
+    /// Gets or sets the list of crates.
+    /// </summary>
+    public List<SbomCrate> Crates { get; set; }
+
+    /// <summary>
+    /// Gets or sets the information about rustc used to perform the compilation.
+    /// </summary>
+    public Rustc Rustc { get; set; }
+
+    /// <summary>
+    /// Deserialize from JSON.
+    /// </summary>
+    /// <returns>Cargo SBOM.</returns>
+    public static CargoSbom FromJson(string json) => JsonSerializer.Deserialize<CargoSbom>(json, Converter.Settings);
+}
+
+/// <summary>
+/// Represents a crate in the SBOM.
+/// </summary>
+public class SbomCrate
+{
+    /// <summary>
+    /// Gets or sets the Cargo Package ID specification.
+    /// </summary>
+    public string Id { get; set; }
+
+    /// <summary>
+    /// Gets or sets the enabled feature flags.
+    /// </summary>
+    public List<string> Features { get; set; }
+
+    /// <summary>
+    /// Gets or sets the enabled cfg attributes set by build scripts.
+    /// </summary>
+    public List<string> Cfgs { get; set; }
+
+    /// <summary>
+    /// Gets or sets the dependencies for this crate.
+    /// </summary>
+    public List<SbomDependency> Dependencies { get; set; }
+}
+
+/// <summary>
+/// Represents a dependency of a crate.
+/// </summary>
+public class SbomDependency
+{
+    /// <summary>
+    /// Gets or sets the index into the crates array.
+    /// </summary>
+    public int Index { get; set; }
+
+    /// <summary>
+    /// Gets or sets the kind of dependency.
+    /// </summary>
+    public SbomKind Kind { get; set; }
+}
+
+/// <summary>
+/// Represents information about rustc used to perform the compilation.
+/// </summary>
+public class Rustc
+{
+    /// <summary>
+    /// Gets or sets the compiler version.
+    /// </summary>
+    public string Version { get; set; }
+
+    /// <summary>
+    /// Gets or sets the compiler wrapper.
+    /// </summary>
+    public string Wrapper { get; set; }
+
+    /// <summary>
+    /// Gets or sets the compiler workspace wrapper.
+    /// </summary>
+    public string WorkspaceWrapper { get; set; }
+
+    /// <summary>
+    /// Gets or sets the commit hash for rustc.
+    /// </summary>
+    public string CommitHash { get; set; }
+
+    /// <summary>
+    /// Gets or sets the host target triple.
+    /// </summary>
+    [JsonPropertyName("host")]
+    public string Host { get; set; }
+
+    /// <summary>
+    /// Gets or sets the verbose version string.
+    /// </summary>
+    public string VerboseVersion { get; set; }
+}
+
+/// <summary>
+/// Deserializes SbomKind.
+/// </summary>
+internal class SbomKindConverter : JsonConverter<SbomKind>
+{
+    public static readonly SbomKindConverter Singleton = new SbomKindConverter();
+
+    public override bool CanConvert(Type t) => t == typeof(SbomKind);
+
+    public override SbomKind Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
+    {
+        var value = reader.GetString();
+        return value switch
+        {
+            "build" => SbomKind.Build,
+            "normal" => SbomKind.Normal,
+            _ => SbomKind.Unknown,
+        };
+    }
+
+    public override void Write(Utf8JsonWriter writer, SbomKind value, JsonSerializerOptions options) => throw new NotImplementedException();
+}
+
+/// <summary>
+/// Json converter settings.
+/// </summary>
+internal static class Converter
+{
+    public static readonly JsonSerializerOptions Settings = new(JsonSerializerDefaults.General)
+    {
+        Converters = { SbomKindConverter.Singleton },
+        PropertyNamingPolicy = JsonNamingPolicy.SnakeCaseLower,
+    };
+}
diff --git a/src/Microsoft.ComponentDetection.Detectors/rust/RustSbomDetector.cs b/src/Microsoft.ComponentDetection.Detectors/rust/RustSbomDetector.cs
@@ -0,0 +1,126 @@
+namespace Microsoft.ComponentDetection.Detectors.Rust;
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Text.RegularExpressions;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.ComponentDetection.Contracts;
+using Microsoft.ComponentDetection.Contracts.Internal;
+using Microsoft.ComponentDetection.Contracts.TypedComponent;
+using Microsoft.ComponentDetection.Detectors.Rust.Sbom.Contracts;
+using Microsoft.Extensions.Logging;
+
+public class RustSbomDetector : FileComponentDetector, IDefaultOffComponentDetector
+{
+    private const string CargoSbomSearchPattern = "*.cargo-sbom.json";
+    private const string CratesIoSource = "registry+https://github.com/rust-lang/crates.io-index";
+
+    /// <summary>
+    /// Cargo Package ID: source#name@version
+    /// https://rustwiki.org/en/cargo/reference/pkgid-spec.html.
+    /// </summary>
+    private static readonly Regex CargoPackageIdRegex = new Regex(
+        @"^(?<source>[^#]*)#?(?<name>[\w\-]*)[@#]?(?<version>\d[\S]*)?$",
+        RegexOptions.Compiled);
+
+    public RustSbomDetector(
+        IComponentStreamEnumerableFactory componentStreamEnumerableFactory,
+        IObservableDirectoryWalkerFactory walkerFactory,
+        ILogger<RustSbomDetector> logger)
+    {
+        this.ComponentStreamEnumerableFactory = componentStreamEnumerableFactory;
+        this.Scanner = walkerFactory;
+        this.Logger = logger;
+    }
+
+    public override string Id => "RustSbom";
+
+    public override IList<string> SearchPatterns => [CargoSbomSearchPattern];
+
+    public override IEnumerable<ComponentType> SupportedComponentTypes => [ComponentType.Cargo];
+
+    public override int Version { get; } = 1;
+
+    public override IEnumerable<string> Categories => ["Rust"];
+
+    private static bool ParsePackageIdSpec(string dependency, out CargoComponent component)
+    {
+        var match = CargoPackageIdRegex.Match(dependency);
+        var name = match.Groups["name"].Value;
+        var version = match.Groups["version"].Value;
+        var source = match.Groups["source"].Value;
+
+        if (!match.Success)
+        {
+            component = null;
+            return false;
+        }
+
+        if (string.IsNullOrWhiteSpace(name))
+        {
+            name = source[(source.LastIndexOf('/') + 1)..];
+        }
+
+        if (string.IsNullOrWhiteSpace(source))
+        {
+            source = null;
+        }
+
+        component = new CargoComponent(name, version, source: source);
+        return true;
+    }
+
+    protected override async Task OnFileFoundAsync(ProcessRequest processRequest, IDictionary<string, string> detectorArgs, CancellationToken cancellationToken = default)
+    {
+        var singleFileComponentRecorder = processRequest.SingleFileComponentRecorder;
+        var components = processRequest.ComponentStream;
+        var reader = new StreamReader(components.Stream);
+        var cargoSbom = CargoSbom.FromJson(await reader.ReadToEndAsync(cancellationToken));
+        this.RecordLockfileVersion(cargoSbom.Version);
+        this.ProcessCargoSbom(cargoSbom, singleFileComponentRecorder, components);
+    }
+
+    private void ProcessDependency(CargoSbom sbom, SbomCrate package, ISingleFileComponentRecorder recorder, IComponentStream components, HashSet<int> visitedNodes, CargoComponent parent = null, int depth = 0)
+    {
+        foreach (var dependency in package.Dependencies)
+        {
+            var dep = sbom.Crates[dependency.Index];
+            var parentComponent = parent;
+            if (ParsePackageIdSpec(dep.Id, out var component))
+            {
+                if (component.Source == CratesIoSource)
+                {
+                    parentComponent = component;
+                    recorder.RegisterUsage(new DetectedComponent(component), isExplicitReferencedDependency: depth == 0, parent?.Id, isDevelopmentDependency: false);
+                }
+            }
+            else
+            {
+                this.Logger.LogError(null, "Failed to parse Cargo PackageIdSpec '{Id}' in '{Location}'", dep.Id, components.Location);
+                recorder.RegisterPackageParseFailure(dep.Id);
+            }
+
+            if (visitedNodes.Add(dependency.Index))
+            {
+                // Skip processing already processed nodes
+                this.ProcessDependency(sbom, dep, recorder, components, visitedNodes, parentComponent, depth + 1);
+            }
+        }
+    }
+
+    private void ProcessCargoSbom(CargoSbom sbom, ISingleFileComponentRecorder recorder, IComponentStream components)
+    {
+        try
+        {
+            var visitedNodes = new HashSet<int>();
+            this.ProcessDependency(sbom, sbom.Crates[sbom.Root], recorder, components, visitedNodes);
+        }
+        catch (Exception e)
+        {
+            // If something went wrong, just ignore the file
+            this.Logger.LogError(e, "Failed to process Cargo SBOM file '{FileLocation}'", components.Location);
+        }
+    }
+}
diff --git a/src/Microsoft.ComponentDetection.Orchestrator/Extensions/ServiceCollectionExtensions.cs b/src/Microsoft.ComponentDetection.Orchestrator/Extensions/ServiceCollectionExtensions.cs
@@ -137,6 +137,7 @@ public static IServiceCollection AddComponentDetection(this IServiceCollection s
         // Rust
         services.AddSingleton<IComponentDetector, RustCrateDetector>();
         services.AddSingleton<IComponentDetector, RustCliDetector>();
+        services.AddSingleton<IComponentDetector, RustSbomDetector>();
 
         // SPDX
         services.AddSingleton<IComponentDetector, Spdx22ComponentDetector>();
diff --git a/test/Microsoft.ComponentDetection.Detectors.Tests/RustSbomDetectorTests.cs b/test/Microsoft.ComponentDetection.Detectors.Tests/RustSbomDetectorTests.cs
