Add sbom generation capability for cargo in dependency scanning analyzer

Problem to solve

Support for license scanning and dependency scanning in cargo projects requires the generation of an sbom that lists the components, dependency graph, and other info about the project.

Proposal

Create a lockfile parser (Cargo.toml and Cargo.lock) and ci/cd component which can generate cyclonedx artifacts to be ingested by the monolith backend.

See related research spike about decision to implement a lockfile parser and options for more complex project sbom generation: #456286 (comment 1931822061)

Implementation plan

Update gemnasium analyzer to add a parser for cargo.
Scan if Cargo.lock present.
Parse Cargo.lock.
Extract full list of packages and dependencies.
- Keep target, feature, and workspace mapping internally to allow future filtering.
Export as sbom with GitLab taxonomy.

Verification steps

Create an integration test for a generated Cargo.lock.
Create a project under tests which can be used to check Secure > Dependency List.

Edited Jul 02, 2024 by Igor Frenkel