cargo/rust: how to avoid sbom contains source files

[jkvbe]

When running cdxgen is run against a cargo/rust project it contains source files of dependencies. I have 2 questions:

• Why are source files included? Why not limit it to crate level? Source files don't even have a Package URL or other id.
• I tried different options to exclude or filter out source files by using the suggestions chatgpt offered, but source files keep being included. What's the proper way to exclude source files from the sbom?

Thanks!

[prabhu]

It's a good feedback. It was originally added to implement evinse for Rust projects. We stopped it half way after realizing it is more involved and probably best done in blint with llvm frontend. Does the source information affect you, like failed validations etc?

[jkvbe]

It does not cause validation failures, but it does blow-up the sbom considerably. Over 70% of the sbom are source files. We mainly want to use the sbom for vulnerability management. So the source files don't add any value. They just take space in our database.

[prabhu]

Understood. Will look into the Rust a bit more. We have #1595 already so a good excuse to do this as well.