syft VS cargo-update

Syft is a popular open source CLI tool created by Anchore for generating an SBOM from container images and filesystems. It’s designed to provide a catalog of dependencies for other tools to use as a data source. It supports many popular programming languages, package managers, and container image formats.

Inside of the SBOMs, we can detect a lot: https://github.com/anchore/syft#supported-ecosystems

You're right that the active/dormant detection needs to be customized per type of runtime. We cover rpm/deb, python and java with the node and others coming very soon. The compiled languages will be our main focus next. For example, Go binaries embed some dependency metadata in the binary itself.

Also related to this effort is the "in-toto" integrity chain: https://in-toto.io/in-toto/ Since we're already connecting build to run, we aim to complete the chain.

Installing syft is pretty straight forward. On any Linux/Mac environment you can run the following command to install

The data format is supported by cargo audit, Syft and Trivy. Reading it from your own tools is also very easy.

A Software-Bill-of-Materials (SBOM) lists all the software components included in an image. Buildpacks support SBOMs in CycloneDX, Syft and SPDX formats.

I think you can already do that using Syft.

I'll continue relying on Anitya for the feed and syft/grype to build my SBOM and track vulnerabilities.

Today corporations, open source projects, nonprofit foundations, and even governments are all trying to figure out how to improve the global software supply chain security. While these efforts are more than welcome, for the moment, there is hardly any straightforward way for organizations to improve on that front.

Syft is a popular open source tool that generates SBOMs for software applications and also containers. You can execute it manually and include the generated artifacts into your release, but you can also automate the process using a GitHub Action that will be triggered whenever you have a new release on your repository.

Personally, I like cargo-update

Speaking of cargo remove, see also cargo-edit [0] from which adding and removing originally came, as well as cargo-binstall [1] which installs binaries rather than compiling from source every time. The binaries are updatable with cargo-update [2].

The latter two can replace a package manager for Rust related utilities, as I often find that those in OS package repositories are often not as up to date as directly from cargo.

[0] https://github.com/killercup/cargo-edit

[1] https://github.com/cargo-bins/cargo-binstall

[2] https://github.com/nabijaczleweli/cargo-update

Would be nice if this worked with cargo-update somehow.

There is cargo install-update plugin: https://github.com/nabijaczleweli/cargo-update

I didn't find any command or package to update those packages, and given that npm has npm -g update and cargo has cargo install-update, I decided to create go-global-update for go.

rust-analyzer isn't a rust component (like rust-src, etc. which will update with rustup update), nor a cargo binary (where you could use cargo install-update - https://github.com/nabijaczleweli/cargo-update ).

I initially was interested in Rust because of performance + speed + safety, but now I have to say that cargo is a big selling point for me.

I always used to be scared of compiling software myself because I never seemed to be able to get it to work without endless headaches. Now, I generally find it easy to compile Rust programs if they aren't in my package manager, and with cargo install-update https://github.com/nabijaczleweli/cargo-update I find it easy to keep the software up to date. I have higher confidence that I can get hobbyist Rust software working, and the more Rust software I use, the more familiar I am with the ecosystem and the more comfortable I am.

If this was written in some obscure language I wasn't familiar with, I'd be less confident I would be able to run it at all, let alone keep it updated, and I may not bother even trying to install it.

So while it may take a while for some, it's already absolutely fine for me to compile my projects in a few seconds or a minute. I install all my related tooling via cargo install and update it via cargo install-update -a ( https://github.com/nabijaczleweli/cargo-update ) so I frequently/daily build different Rust projects and I'm quite ok with the compilation times.