You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+9Lines changed: 9 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -41,6 +41,15 @@ cargo install cargo-cyclonedx
41
41
cargo cyclonedx
42
42
```
43
43
44
+
## Security considerations
45
+
46
+
`cargo-cyclonedx` calls into Cargo internally to get information about a Rust project. Like nearly any other build system,
47
+
Cargo [may run arbitrary code](https://shnatsel.medium.com/do-not-run-any-cargo-commands-on-untrusted-projects-4c31c89a78d6)
48
+
when invoked on an untrusted project, so `cargo-cyclonedx` should not be called on untrusted projects either.
49
+
50
+
Some of the other tools for generating CycloneDX SBOMs do not invoke Cargo and only parse the `Cargo.lock` file.
51
+
However, the only way to generate the `Cargo.lock` file for them to scan is to invoke Cargo, so this issue is currently unavoidable for any tool that describes a Cargo project.
0 commit comments