diff --git a/book/src/supplychain-security/index.md b/book/src/supplychain-security/index.md index 52af31e86..d6f1d6c4d 100644 --- a/book/src/supplychain-security/index.md +++ b/book/src/supplychain-security/index.md @@ -22,10 +22,21 @@ If you have an integration you are looking for [file an issue](https://github.co ## SBOMs and Dependency Managers -* [cargo-cyclonedx](../reference/config.html#cargo-cyclonedx) -* [cargo-auditable](../reference/config.html#cargo-auditable) +### cargo-cyclonedx +dist can optionally generate a [CycloneDX][CycloneDX]-format Software Bill of Materials (SBOM) for Rust projects using the [cargo-cyclonedx][cargo-cyclonedx] tool. This data is stored as a standalone `bom.xml` file which is distributed alongside your binaries in your tarballs. Users can validate that SBOM file using [any compatible CycloneDX tool](https://cyclonedx.org/tool-center/). For more information about using this feature, see [the config documentation](../reference/config.html#cargo-cyclonedx). + +### cargo-auditable + +[cargo-auditable][cargo-auditable] can optionally be used to embed dependency information into your Rust binaries, making it possible for users to check your binaries for the full dependency tree they were built from along with their precise versions. This information can then be checked later to scan your binary for any known vulnerabilities using the [cargo-audit][cargo-audit] tool. For more information about using this feature, see [the config documentation](../reference/config.html#cargo-auditable). ## Software identification -* [🔜 Omnibor](https://github.com/axodotdev/cargo-dist/issues/969) +dist can optionally generate an [OmniBOR artifact ID][omnibor] for software artifacts using the [omnibor-cli][omnibor-cli] tool. These identifiers are reproducible and unique to a specific version of your software. For more information about using this feature, see [the config documentation](../reference/config.html#omnibor). + +[CycloneDX]: https://cyclonedx.org +[cargo-audit]: https://github.com/rustsec/rustsec/tree/main/cargo-audit#cargo-audit-bin-subcommand +[cargo-auditable]: https://github.com/rust-secure-code/cargo-auditable +[cargo-cyclonedx]: https://cyclonedx.org +[omnibor]: https://omnibor.io +[omnibor-cli]: https://github.com/omnibor/omnibor-rs/tree/main/omnibor-cli