Add CI/CD component for generating sboms for cargo projects

Problem to solve

A Dependency Scanning CI/CD component for analyzing cargo projects is necessary for basic sbom generation.

Proposal

Create a CI/CD component running the cargo lockfile parser. This component is to be included by the user and encompasses a minimum viable change for Dependency Scanning.

Future iterations of the component may have support filtering on targets, workspaces, and features and thus may need to allow the user to pass a list of arguments which may configure parsing further. However, current configuration parameters will be limited.

Requirements

Calls analyzer as part of cargo dependency scanning job.
Exports sbom artifact when scan completes.
Allow users to configure
- Analyzer image used
- SECURE_LOG_LEVEL
- EXCLUDED_PATHS (potentially)
Configurable stage (e.g. test).

Implementation plan

Add cargo-dependency-scanning project under gitlab.com/components.
Add a component template under templates directory (to be in line with previous work android-dependency-scanning).
Run /analyzer run using gemnasium:5 as image.

Edited Jun 10, 2024 by Igor Frenkel