Surface Rust dependency relationships

[Dungeon1]

What happened:
Syft not created "dependencies" in cyclonedx report for Go, Rust, Java and etc.
Cargo.lock had "dependencies". View like

[[package]]
name = "yaserde"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4bf52af554a50b866aaad63d7eabd6fca298db3dfe49afd50b7ba5a33dfa0582"
dependencies = [
 "log",
 "xml-rs",
 "yaserde_derive",
]

But output syft doesnt reflect this
What you expected to happen:
Want full cyclonedx report with "dependencies" and "depensOn" included

Steps to reproduce the issue:
syft -o [email protected] Cargo.lock > report.json

Anything else we need to know?:

Environment:
Syft 0.94

[tgerla]

Hi @Dungeon1, thanks for the report. I can confirm that the dependencies show up in the syft-json format output, but not the cyclonedx-json or cyclonedx-xml output. I will confirm with the team if this is expected behavior or not and get back to when we are able to look. Thanks again.

[wagoodman]

I'm trying to understand the details. To be clear, this cargo.lock is not sufficient to show all dependencies in the SBOM:

[[package]]
name = "winapi"
version = "0.3.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
dependencies = [
 "winapi-i686-pc-windows-gnu",
 "winapi-x86_64-pc-windows-gnu",
]

But this would:

[[package]]
name = "winapi"
version = "0.3.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
dependencies = [
 "winapi-i686-pc-windows-gnu",
 "winapi-x86_64-pc-windows-gnu",
]

[[package]]
name = "winapi-i686-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"

[[package]]
name = "winapi-x86_64-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"

Assuming that you have a cargo.lock file that looks like the last example, I think you're really asking why are there not relationships between all of the nodes in your SBOM to show how the nodes are related. If that's true, you're right, we haven't done that work yet. We have another issue to add these for all ecosystems #572 . The nice thing about the rust cataloger is that, for this specific ecosystem, this looks to be low hanging fruit (ready to be implemented around here, correlating the .metadata.dependencies discovered with the names of the packages created)

[Dungeon1]

@wagoodman I ran on Cargo.lock like your example.

[Dungeon1]

Cargo.lock had dependencies, but syft not building dependencies with dependsOn.

[willmurphyscode]

I was also able reproduce this. It looks like syft is detecting the dependencies (because they show up in o json), but isn't writing them down in cyclonedx-json. Moving to the backlog, thanks for the report!