You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: cargo-cyclonedx/README.md
+9Lines changed: 9 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -102,6 +102,15 @@ By contrast, `cargo cyclonedx` sources data both from `Cargo.lock` and from [`ca
102
102
- Omit dev-dependencies, which cannot affect the final executable
103
103
- Record additional fields such as the license for every component
104
104
105
+
## Security considerations
106
+
107
+
`cargo-cyclonedx` calls into Cargo internally to get information about a Rust project. Like nearly any other build system,
108
+
Cargo [may run arbitrary code](https://shnatsel.medium.com/do-not-run-any-cargo-commands-on-untrusted-projects-4c31c89a78d6)
109
+
when invoked on an untrusted project, so `cargo-cyclonedx` should not be called on untrusted projects either.
110
+
111
+
Some of the other tools for generating CycloneDX SBOMs do not invoke Cargo and only parse the `Cargo.lock` file.
112
+
However, the only way to generate the `Cargo.lock` file for them to scan is to invoke Cargo, so this issue is currently unavoidable for any tool that describes a Cargo project.
113
+
105
114
## Contributing
106
115
107
116
See [CONTRIBUTING](../CONTRIBUTING.md) for details.
0 commit comments