omnibor-rs
This project is a work in progress and is not ready for any use beyond experimental.
OmniBOR is a draft standard for creating (and optionally embedding in a binary) a record of cryptographic hashes for all build inputs for a software artifact. It is intended to serve as a complement to Software Bills of Material (SBOMs) like SPDX or CycloneDX, by saying not just what dependencies a project has, but what exact inputs went into an artifact's production.
This repository contains two Rust crates:
omnibor: an implementation of the OmniBOR specification.gitoid: an implement of Git Object Identifiers (GitOids), the mechanism OmniBOR uses for hashing inputs.
Using from Other Languages
The gitoid crate exposes a Foreign Function Interface (FFI), and can be used as the
basis for implementing GitOID generation and matching in other languages.
This interface uses cbindgen to generate the header file, and the
gitoid crate is configured to generate a library file suitable for linking from
other languages.
An example of how to build and link with gitoid from other languages is given
in gitoid/Makefile.
Contributing
We're happy to accept contributions!
For bug fixes and minor changes to the implementation, feel free to open an issue in the issue tracker explaining what you'd like to fix, and then open a Pull Request with the change.
For larger design changes, you may also want to discuss the changes either in the
issue tracker or on the #omnibor channel on the Open Source Security Foundation
(OpenSSF) Slack workspace.
License
The omnibor and gitoid crates are both Apache 2.0 licensed. You can read the
full license text in the LICENSE file.