feat(release): generate SBOMs with real crate dependencies#98
Merged
Conversation
Build release binaries through cargo-auditable and point syft at content it can actually read, so the published SBOMs enumerate every linked crate instead of just the top-level package. - builds.agent.tool: cargo-auditable-zigbuild — the wrapper baked into the builder image, which runs `cargo auditable zigbuild ...`. Each binary then carries its dependency tree in a `.dep-v0` ELF section. - sboms: scan `binary` and `archive` instead of `package`. syft reads the `.dep-v0` section out of the binary (and recurses into the tar.gz to find it). A .deb scan only reads DPKG control metadata and never inspects the nested binary, so it could never list dependencies — verified empirically. - build/Dockerfile: bump the pinned builder image to 43e2c5b, the image published after #97 added cargo-auditable and the wrapper. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Release SBOMs list only the top-level package — no dependency inventory — making them useless for vulnerability scanning. Follow-up to #97, which added
cargo-auditable+ a wrapper to the builder image. This PR wires it into the release and fixes what syft scans.What
builds.agent.tool: cargo-auditable-zigbuild— the wrapper baked into the builder image (feat(builder): add cargo-auditable to the builder image #97). Withcommand: zigbuild, goreleaser runscargo-auditable-zigbuild zigbuild --target=… --release -p=miru-agent, i.e.cargo auditable zigbuild …. Each binary then embeds its full dependency tree in a.dep-v0ELF section.sboms: scanbinary+archive, notpackage. syft reads the.dep-v0section straight out of the binary, and recurses into the tar.gz to find it — both list every linked crate. A.debscan only reads DPKG control metadata and never inspects the nested binary, so it could never enumerate dependencies.build/Dockerfile: bump the pinned builder image to43e2c5b— the image published after feat(builder): add cargo-auditable to the builder image #97 merged (verified to containcargo-auditableand the wrapper).Why drop the
.debSBOMI tested this empirically in the builder image. syft scanning an auditable binary inside a
.debreturns only the package record (2 entries, no crates); the same binary scanned directly, or inside a tar.gz, returns the full crate list. So the SBOM source has to be the binary/archive. The published SBOMs now cover the binaries (the exact bits shipped inside both the archives and the.debs) and the archives.Note
If a downstream consumer specifically needs a
*.deb-named SBOM file, say so and I'll keep apackageentry but repoint its syft invocation at the binary instead of dropping it.Validation
goreleaser checkpasses against the new pinned image (43e2c5b).agent-builder:43e2c5bimage containscargo-auditableand the wrapper.cargo-auditable-zigbuild zigbuild --target=… --release), produces a binary with a.dep-v0section, and syft surfaces the embedded crate (itoa) from both the raw binary and a tar.gz of it — but not from a.deb.The first real release tag after this merges will be the live confirmation; the SBOM that previously showed one package should then list the agent's crates.
🤖 Generated with Claude Code
Need help on this PR? Tag
/codesmithwith what you need. Autofix is disabled.