From 69453aad3c0633e345cfad76c93e938caf2c7dfb Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Mon, 26 Feb 2024 11:24:55 +0100
Subject: [PATCH 01/22] Explore location to generate SBOM precursor files

Similar to the generation of `depinfo` files, a function is called to
generated SBOM precursor file named `output_sbom`. It takes the
`BuildRunner` & the current `Unit`. The `sbom` flag can be specified as
a cargo build option, but it's currently not configured fully. To
test the generation the flag is set to `true`.

* use SBOM types to serialize data
---
 src/cargo/core/compiler/build_config.rs     |   8 ++
 src/cargo/core/compiler/build_runner/mod.rs |   4 +
 src/cargo/core/compiler/mod.rs              |   2 +
 src/cargo/core/compiler/output_sbom.rs      | 100 ++++++++++++++++++++
 src/cargo/util/context/mod.rs               |   1 +
 5 files changed, 115 insertions(+)
 create mode 100644 src/cargo/core/compiler/output_sbom.rs

diff --git a/src/cargo/core/compiler/build_config.rs b/src/cargo/core/compiler/build_config.rs
index 0f66d6dbbc6..a397d2a924f 100644
--- a/src/cargo/core/compiler/build_config.rs
+++ b/src/cargo/core/compiler/build_config.rs
@@ -46,6 +46,8 @@ pub struct BuildConfig {
     pub future_incompat_report: bool,
     /// Which kinds of build timings to output (empty if none).
     pub timing_outputs: Vec<TimingOutput>,
+    /// Output SBOM precursor files.
+    pub sbom: bool,
 }
 
 fn default_parallelism() -> CargoResult<u32> {
@@ -102,6 +104,11 @@ impl BuildConfig {
             anyhow::bail!("-Zbuild-std requires --target");
         }
 
+        let sbom = match gctx.get_env_os("CARGO_BUILD_SBOM") {
+            Some(sbom) => sbom == "true",
+            None => cfg.sbom == Some(true),
+        };
+
         Ok(BuildConfig {
             requested_kinds,
             jobs,
@@ -117,6 +124,7 @@ impl BuildConfig {
             export_dir: None,
             future_incompat_report: false,
             timing_outputs: Vec::new(),
+            sbom,
         })
     }
 
diff --git a/src/cargo/core/compiler/build_runner/mod.rs b/src/cargo/core/compiler/build_runner/mod.rs
index f9e3cf64c3d..cc50789dce3 100644
--- a/src/cargo/core/compiler/build_runner/mod.rs
+++ b/src/cargo/core/compiler/build_runner/mod.rs
@@ -291,6 +291,10 @@ impl<'a, 'gctx> BuildRunner<'a, 'gctx> {
             }
 
             super::output_depinfo(&mut self, unit)?;
+
+            if self.bcx.build_config.sbom {
+                super::output_sbom(&mut self, unit)?;
+            }
         }
 
         for (script_meta, output) in self.build_script_outputs.lock().unwrap().iter() {
diff --git a/src/cargo/core/compiler/mod.rs b/src/cargo/core/compiler/mod.rs
index fe07c59945d..1372e97c839 100644
--- a/src/cargo/core/compiler/mod.rs
+++ b/src/cargo/core/compiler/mod.rs
@@ -47,6 +47,7 @@ pub(crate) mod layout;
 mod links;
 mod lto;
 mod output_depinfo;
+mod output_sbom;
 pub mod rustdoc;
 pub mod standard_lib;
 mod timings;
@@ -84,6 +85,7 @@ use self::job_queue::{Job, JobQueue, JobState, Work};
 pub(crate) use self::layout::Layout;
 pub use self::lto::Lto;
 use self::output_depinfo::output_depinfo;
+use self::output_sbom::output_sbom;
 use self::unit_graph::UnitDep;
 use crate::core::compiler::future_incompat::FutureIncompatReport;
 pub use crate::core::compiler::unit::{Unit, UnitInterner};
diff --git a/src/cargo/core/compiler/output_sbom.rs b/src/cargo/core/compiler/output_sbom.rs
new file mode 100644
index 00000000000..7210723bfa9
--- /dev/null
+++ b/src/cargo/core/compiler/output_sbom.rs
@@ -0,0 +1,100 @@
+//! cargo-sbom precursor files for external tools to create SBOM files from.
+//! See [`output_sbom`] for more.
+
+use std::io::{BufWriter, Write};
+
+use cargo_util::paths::{self};
+use cargo_util_schemas::core::PackageIdSpec;
+use serde::Serialize;
+
+use crate::core::{Target, TargetKind};
+use crate::{core::compiler::FileFlavor, CargoResult};
+
+use super::{BuildRunner, CrateType, Unit};
+
+/// Typed version of a SBOM format version number.
+pub struct SbomFormatVersion<const V: u32>;
+
+impl<const V: u32> Serialize for SbomFormatVersion<V> {
+    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
+    where
+        S: serde::Serializer,
+    {
+        serializer.serialize_u32(V)
+    }
+}
+
+#[derive(Serialize)]
+struct SbomTarget {
+    kind: TargetKind,
+    crate_type: Option<CrateType>,
+    name: String,
+    edition: String,
+}
+
+impl From<&Target> for SbomTarget {
+    fn from(target: &Target) -> Self {
+        SbomTarget {
+            kind: target.kind().clone(),
+            crate_type: target.kind().rustc_crate_types().first().cloned(),
+            name: target.name().to_string(),
+            edition: target.edition().to_string(),
+        }
+    }
+}
+
+#[derive(Serialize)]
+struct Sbom {
+    format_version: SbomFormatVersion<1>,
+    package_id: PackageIdSpec,
+    name: String,
+    version: String,
+    target: SbomTarget,
+    dependencies: Vec<String>,
+    features: Vec<String>,
+}
+
+impl Sbom {
+    pub fn new(unit: &Unit) -> Self {
+        let package_id = unit.pkg.summary().package_id().to_spec();
+        let name = unit.pkg.name().to_string();
+        let version = unit.pkg.version().to_string();
+        let features = unit.features.iter().map(|f| f.to_string()).collect();
+        let target: SbomTarget = (&unit.target).into();
+
+        Self {
+            format_version: SbomFormatVersion,
+            package_id,
+            name,
+            version,
+            target,
+            dependencies: Vec::new(),
+            features,
+        }
+    }
+}
+
+/// Saves a `<artifact>.cargo-sbom.json` file for the given [`Unit`].
+///
+pub fn output_sbom(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> CargoResult<()> {
+    let _bcx = build_runner.bcx;
+
+    // TODO collect build & unit data, then transform into JSON output
+    for output in build_runner
+        .outputs(unit)?
+        .iter()
+        .filter(|o| matches!(o.flavor, FileFlavor::Normal | FileFlavor::Linkable))
+    {
+        if let Some(ref link_dst) = output.hardlink {
+            let output_path = link_dst.with_extension("cargo-sbom.json");
+
+            let sbom = Sbom::new(unit);
+
+            let mut outfile = BufWriter::new(paths::create(output_path)?);
+            let output = serde_json::to_string_pretty(&sbom)?;
+            write!(outfile, "{}", output)?;
+        }
+    }
+
+    Ok(())
+}
diff --git a/src/cargo/util/context/mod.rs b/src/cargo/util/context/mod.rs
index a8fee94d5e4..23084d086ef 100644
--- a/src/cargo/util/context/mod.rs
+++ b/src/cargo/util/context/mod.rs
@@ -2615,6 +2615,7 @@ pub struct CargoBuildConfig {
     // deprecated alias for artifact-dir
     pub out_dir: Option<ConfigRelativePath>,
     pub artifact_dir: Option<ConfigRelativePath>,
+    pub sbom: Option<bool>,
 }
 
 /// Configuration for `build.target`.

From 6253b310e2cf49e94b0742e35077efbac155c7d7 Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Mon, 26 Feb 2024 12:31:39 +0100
Subject: [PATCH 02/22] Output source, profile & dependencies

---
 src/cargo/core/compiler/output_sbom.rs | 74 +++++++++++++++++++++++---
 1 file changed, 66 insertions(+), 8 deletions(-)

diff --git a/src/cargo/core/compiler/output_sbom.rs b/src/cargo/core/compiler/output_sbom.rs
index 7210723bfa9..1f3c9278a87 100644
--- a/src/cargo/core/compiler/output_sbom.rs
+++ b/src/cargo/core/compiler/output_sbom.rs
@@ -2,15 +2,19 @@
 //! See [`output_sbom`] for more.
 
 use std::io::{BufWriter, Write};
+use std::path::PathBuf;
 
 use cargo_util::paths::{self};
 use cargo_util_schemas::core::PackageIdSpec;
+use itertools::Itertools;
 use serde::Serialize;
 
+use crate::core::profiles::Profile;
 use crate::core::{Target, TargetKind};
+use crate::util::Rustc;
 use crate::{core::compiler::FileFlavor, CargoResult};
 
-use super::{BuildRunner, CrateType, Unit};
+use super::{unit_graph::UnitDep, BuildRunner, CrateType, Unit};
 
 /// Typed version of a SBOM format version number.
 pub struct SbomFormatVersion<const V: u32>;
@@ -24,6 +28,30 @@ impl<const V: u32> Serialize for SbomFormatVersion<V> {
     }
 }
 
+#[derive(Serialize, Clone, Debug)]
+struct SbomDependency {
+    package_id: PackageIdSpec,
+    features: Vec<String>,
+    extern_crate_name: String,
+}
+
+impl From<&UnitDep> for SbomDependency {
+    fn from(dep: &UnitDep) -> Self {
+        let features = dep
+            .unit
+            .features
+            .iter()
+            .map(|dep| dep.to_string())
+            .collect_vec();
+
+        Self {
+            package_id: dep.unit.pkg.package_id().to_spec(),
+            features,
+            extern_crate_name: dep.extern_crate_name.to_string(),
+        }
+    }
+}
+
 #[derive(Serialize)]
 struct SbomTarget {
     kind: TargetKind,
@@ -43,33 +71,60 @@ impl From<&Target> for SbomTarget {
     }
 }
 
+#[derive(Serialize)]
+struct SbomRustc {
+    version: String,
+    wrapper: Option<PathBuf>,
+    commit_hash: Option<String>,
+    host: String,
+}
+
+impl From<&Rustc> for SbomRustc {
+    fn from(rustc: &Rustc) -> Self {
+        Self {
+            version: rustc.version.to_string(),
+            wrapper: rustc.wrapper.clone(),
+            commit_hash: rustc.commit_hash.clone(),
+            host: rustc.host.to_string(),
+        }
+    }
+}
+
 #[derive(Serialize)]
 struct Sbom {
     format_version: SbomFormatVersion<1>,
     package_id: PackageIdSpec,
     name: String,
     version: String,
+    source: String,
     target: SbomTarget,
-    dependencies: Vec<String>,
+    profile: Profile,
+    dependencies: Vec<SbomDependency>,
     features: Vec<String>,
+    rustc: SbomRustc,
 }
 
 impl Sbom {
-    pub fn new(unit: &Unit) -> Self {
+    pub fn new(unit: &Unit, dependencies: Vec<SbomDependency>, rustc: SbomRustc) -> Self {
         let package_id = unit.pkg.summary().package_id().to_spec();
         let name = unit.pkg.name().to_string();
         let version = unit.pkg.version().to_string();
+        let source = unit.pkg.package_id().source_id().to_string();
+        let target = (&unit.target).into();
+        let profile = unit.profile.clone();
         let features = unit.features.iter().map(|f| f.to_string()).collect();
-        let target: SbomTarget = (&unit.target).into();
 
         Self {
             format_version: SbomFormatVersion,
             package_id,
             name,
             version,
+            source,
             target,
-            dependencies: Vec::new(),
+            profile,
+            dependencies,
             features,
+            rustc,
         }
     }
 }
@@ -77,7 +132,9 @@ impl Sbom {
 /// Saves a `<artifact>.cargo-sbom.json` file for the given [`Unit`].
 ///
 pub fn output_sbom(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> CargoResult<()> {
-    let _bcx = build_runner.bcx;
+    let bcx = build_runner.bcx;
+    let unit_deps = build_runner.unit_deps(unit);
+    let dependencies = unit_deps.iter().map(|dep| dep.into()).collect_vec();
 
     // TODO collect build & unit data, then transform into JSON output
     for output in build_runner
@@ -88,9 +145,10 @@ pub fn output_sbom(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> Cargo
         if let Some(ref link_dst) = output.hardlink {
             let output_path = link_dst.with_extension("cargo-sbom.json");
 
-            let sbom = Sbom::new(unit);
+            let rustc = bcx.rustc().into();
+            let sbom = Sbom::new(unit, dependencies.clone(), rustc);
 
-            let mut outfile = BufWriter::new(paths::create(output_path)?);
+            let mut outfile = BufWriter::new(paths::create(output_path.clone())?);
             let output = serde_json::to_string_pretty(&sbom)?;
             write!(outfile, "{}", output)?;
         }

From 23f087e01d0b22e65899811f6a11cbf25e388f47 Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Mon, 26 Feb 2024 16:29:19 +0100
Subject: [PATCH 03/22] Trying to fetch all dependencies

This ignores dependencies for custom build scripts. The output should be
similar to what `cargo tree` reports.
---
 src/cargo/core/compiler/output_sbom.rs | 38 ++++++++++++++++++++++++--
 1 file changed, 36 insertions(+), 2 deletions(-)

diff --git a/src/cargo/core/compiler/output_sbom.rs b/src/cargo/core/compiler/output_sbom.rs
index 1f3c9278a87..829e5eeb963 100644
--- a/src/cargo/core/compiler/output_sbom.rs
+++ b/src/cargo/core/compiler/output_sbom.rs
@@ -1,6 +1,7 @@
 //! cargo-sbom precursor files for external tools to create SBOM files from.
 //! See [`output_sbom`] for more.
 
+use std::collections::BTreeSet;
 use std::io::{BufWriter, Write};
 use std::path::PathBuf;
 
@@ -31,6 +32,8 @@ impl<const V: u32> Serialize for SbomFormatVersion<V> {
 #[derive(Serialize, Clone, Debug)]
 struct SbomDependency {
     package_id: PackageIdSpec,
+    package: String,
+    version: String,
     features: Vec<String>,
     extern_crate_name: String,
 }
@@ -46,6 +49,8 @@ impl From<&UnitDep> for SbomDependency {
 
         Self {
             package_id: dep.unit.pkg.package_id().to_spec(),
+            package: dep.unit.pkg.package_id().name().to_string(),
+            version: dep.unit.pkg.package_id().version().to_string(),
             features,
             extern_crate_name: dep.extern_crate_name.to_string(),
         }
@@ -133,8 +138,8 @@ impl Sbom {
 ///
 pub fn output_sbom(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> CargoResult<()> {
     let bcx = build_runner.bcx;
-    let unit_deps = build_runner.unit_deps(unit);
-    let dependencies = unit_deps.iter().map(|dep| dep.into()).collect_vec();
+
+    let dependencies = fetch_dependencies(build_runner, unit);
 
     // TODO collect build & unit data, then transform into JSON output
     for output in build_runner
@@ -156,3 +161,32 @@ pub fn output_sbom(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> Cargo
 
     Ok(())
 }
+
+/// Fetch all dependencies, including transitive ones. A dependency can also appear multiple times
+/// if it's included with different versions.
+fn fetch_dependencies(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> Vec<SbomDependency> {
+    let unit_graph = &build_runner.bcx.unit_graph;
+    let root_deps = build_runner.unit_deps(unit);
+
+    let mut result = Vec::new();
+    let mut queue: BTreeSet<&UnitDep> = root_deps.iter().collect();
+    let mut visited: BTreeSet<&UnitDep> = BTreeSet::new();
+
+    while let Some(dependency) = queue.pop_first() {
+        // ignore any custom build scripts.
+        if dependency.unit.mode.is_run_custom_build() {
+            continue;
+        }
+        if visited.contains(dependency) {
+            continue;
+        }
+
+        result.push(dependency);
+        visited.insert(dependency);
+
+        let mut dependencies: BTreeSet<&UnitDep> = unit_graph[&dependency.unit].iter().collect();
+        queue.append(&mut dependencies);
+    }
+
+    result.into_iter().map(|d| d.into()).collect_vec()
+}

From 2b11115e37b1643f331dfd3135a3d7a2e270db8b Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Tue, 27 Feb 2024 11:53:37 +0100
Subject: [PATCH 04/22] Output package dependencies

This is similar to what the `cargo metadata` command outputs.
---
 src/cargo/core/compiler/output_sbom.rs | 86 +++++++++++++++++++-------
 1 file changed, 62 insertions(+), 24 deletions(-)

diff --git a/src/cargo/core/compiler/output_sbom.rs b/src/cargo/core/compiler/output_sbom.rs
index 829e5eeb963..38b63038b21 100644
--- a/src/cargo/core/compiler/output_sbom.rs
+++ b/src/cargo/core/compiler/output_sbom.rs
@@ -10,7 +10,7 @@ use cargo_util_schemas::core::PackageIdSpec;
 use itertools::Itertools;
 use serde::Serialize;
 
-use crate::core::profiles::Profile;
+use crate::core::{profiles::Profile, PackageId};
 use crate::core::{Target, TargetKind};
 use crate::util::Rustc;
 use crate::{core::compiler::FileFlavor, CargoResult};
@@ -29,30 +29,65 @@ impl<const V: u32> Serialize for SbomFormatVersion<V> {
     }
 }
 
+/// A package dependency
 #[derive(Serialize, Clone, Debug)]
 struct SbomDependency {
-    package_id: PackageIdSpec,
-    package: String,
+    name: String,
+    package_id: PackageId,
     version: String,
     features: Vec<String>,
-    extern_crate_name: String,
 }
 
 impl From<&UnitDep> for SbomDependency {
     fn from(dep: &UnitDep) -> Self {
+        let package_id = dep.unit.pkg.package_id();
+        let name = package_id.name().to_string();
+        let version = package_id.version().to_string();
         let features = dep
             .unit
             .features
             .iter()
-            .map(|dep| dep.to_string())
+            .map(|f| f.to_string())
             .collect_vec();
 
         Self {
-            package_id: dep.unit.pkg.package_id().to_spec(),
-            package: dep.unit.pkg.package_id().name().to_string(),
-            version: dep.unit.pkg.package_id().version().to_string(),
+            name,
+            package_id,
+            version,
+            features,
+        }
+    }
+}
+
+#[derive(Serialize, Clone, Debug)]
+struct SbomPackage {
+    package_id: PackageId,
+    package: String,
+    version: String,
+    features: Vec<String>,
+    extern_crate_name: String,
+    dependencies: Vec<SbomDependency>,
+}
+
+impl SbomPackage {
+    pub fn new(dep: &UnitDep, dependencies: Vec<SbomDependency>) -> Self {
+        let package_id = dep.unit.pkg.package_id();
+        let package = package_id.name().to_string();
+        let version = package_id.version().to_string();
+        let features = dep
+            .unit
+            .features
+            .iter()
+            .map(|f| f.to_string())
+            .collect_vec();
+
+        Self {
+            package_id,
+            package,
+            version,
             features,
             extern_crate_name: dep.extern_crate_name.to_string(),
+            dependencies,
         }
     }
 }
@@ -76,7 +111,7 @@ impl From<&Target> for SbomTarget {
     }
 }
 
-#[derive(Serialize)]
+#[derive(Serialize, Clone)]
 struct SbomRustc {
     version: String,
     wrapper: Option<PathBuf>,
@@ -104,13 +139,13 @@ struct Sbom {
     source: String,
     target: SbomTarget,
     profile: Profile,
-    dependencies: Vec<SbomDependency>,
+    packages: Vec<SbomPackage>,
     features: Vec<String>,
     rustc: SbomRustc,
 }
 
 impl Sbom {
-    pub fn new(unit: &Unit, dependencies: Vec<SbomDependency>, rustc: SbomRustc) -> Self {
+    pub fn new(unit: &Unit, packages: Vec<SbomPackage>, rustc: SbomRustc) -> Self {
         let package_id = unit.pkg.summary().package_id().to_spec();
         let name = unit.pkg.name().to_string();
         let version = unit.pkg.version().to_string();
@@ -127,7 +162,7 @@ impl Sbom {
             source,
             target,
             profile,
-            dependencies,
+            packages,
             features,
             rustc,
         }
@@ -138,8 +173,9 @@ impl Sbom {
 ///
 pub fn output_sbom(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> CargoResult<()> {
     let bcx = build_runner.bcx;
+    let rustc: SbomRustc = bcx.rustc().into();
 
-    let dependencies = fetch_dependencies(build_runner, unit);
+    let packages = fetch_packages(build_runner, unit);
 
     // TODO collect build & unit data, then transform into JSON output
     for output in build_runner
@@ -150,8 +186,7 @@ pub fn output_sbom(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> Cargo
         if let Some(ref link_dst) = output.hardlink {
             let output_path = link_dst.with_extension("cargo-sbom.json");
 
-            let rustc = bcx.rustc().into();
-            let sbom = Sbom::new(unit, dependencies.clone(), rustc);
+            let sbom = Sbom::new(unit, packages.clone(), rustc.clone());
 
             let mut outfile = BufWriter::new(paths::create(output_path.clone())?);
             let output = serde_json::to_string_pretty(&sbom)?;
@@ -164,29 +199,32 @@ pub fn output_sbom(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> Cargo
 
 /// Fetch all dependencies, including transitive ones. A dependency can also appear multiple times
 /// if it's included with different versions.
-fn fetch_dependencies(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> Vec<SbomDependency> {
+fn fetch_packages(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> Vec<SbomPackage> {
     let unit_graph = &build_runner.bcx.unit_graph;
     let root_deps = build_runner.unit_deps(unit);
 
     let mut result = Vec::new();
     let mut queue: BTreeSet<&UnitDep> = root_deps.iter().collect();
-    let mut visited: BTreeSet<&UnitDep> = BTreeSet::new();
+    let mut visited = BTreeSet::new();
 
-    while let Some(dependency) = queue.pop_first() {
+    while let Some(package) = queue.pop_first() {
         // ignore any custom build scripts.
-        if dependency.unit.mode.is_run_custom_build() {
+        if package.unit.mode.is_run_custom_build() {
             continue;
         }
-        if visited.contains(dependency) {
+        if visited.contains(package) {
             continue;
         }
 
-        result.push(dependency);
-        visited.insert(dependency);
+        let mut dependencies: BTreeSet<&UnitDep> = unit_graph[&package.unit].iter().collect();
+        let sbom_dependencies = dependencies.iter().map(|dep| (*dep).into()).collect_vec();
+
+        result.push(SbomPackage::new(package, sbom_dependencies));
+
+        visited.insert(package);
 
-        let mut dependencies: BTreeSet<&UnitDep> = unit_graph[&dependency.unit].iter().collect();
         queue.append(&mut dependencies);
     }
 
-    result.into_iter().map(|d| d.into()).collect_vec()
+    result
 }

From d73c881e300303bbe35591e028a97b70a3ee0517 Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Tue, 27 Feb 2024 16:40:59 +0100
Subject: [PATCH 05/22] Extract logic to fetch sbom output files

This extracts the logic to get the list of SBOM output file paths into
its own function in `BuildRunner` for a given Unit.
---
 src/cargo/core/compiler/build_runner/mod.rs | 15 +++++++++++++++
 src/cargo/core/compiler/mod.rs              |  6 ++++++
 src/cargo/core/compiler/output_sbom.rs      | 21 ++++++---------------
 3 files changed, 27 insertions(+), 15 deletions(-)

diff --git a/src/cargo/core/compiler/build_runner/mod.rs b/src/cargo/core/compiler/build_runner/mod.rs
index cc50789dce3..8b5a8e4f7c2 100644
--- a/src/cargo/core/compiler/build_runner/mod.rs
+++ b/src/cargo/core/compiler/build_runner/mod.rs
@@ -423,6 +423,21 @@ impl<'a, 'gctx> BuildRunner<'a, 'gctx> {
         self.files().metadata(unit)
     }
 
+    /// Returns the list of SBOM output file paths for a given [`Unit`].
+    ///
+    /// Only call this function when `sbom` is active.
+    pub fn sbom_output_files(&self, unit: &Unit) -> CargoResult<Vec<PathBuf>> {
+        assert!(self.bcx.build_config.sbom);
+        let files = self
+            .outputs(unit)?
+            .iter()
+            .filter(|o| matches!(o.flavor, FileFlavor::Normal | FileFlavor::Linkable))
+            .filter_map(|output_file| output_file.hardlink.as_ref())
+            .map(|link_dst| link_dst.with_extension("cargo-sbom.json"))
+            .collect::<Vec<_>>();
+        Ok(files)
+    }
+
     pub fn is_primary_package(&self, unit: &Unit) -> bool {
         self.primary_packages.contains(&unit.pkg.package_id())
     }
diff --git a/src/cargo/core/compiler/mod.rs b/src/cargo/core/compiler/mod.rs
index 1372e97c839..00e2be1696e 100644
--- a/src/cargo/core/compiler/mod.rs
+++ b/src/cargo/core/compiler/mod.rs
@@ -676,6 +676,7 @@ where
 fn prepare_rustc(build_runner: &BuildRunner<'_, '_>, unit: &Unit) -> CargoResult<ProcessBuilder> {
     let is_primary = build_runner.is_primary_package(unit);
     let is_workspace = build_runner.bcx.ws.is_member(&unit.pkg);
+    let sbom = build_runner.bcx.build_config.sbom;
 
     let mut base = build_runner
         .compilation
@@ -692,6 +693,11 @@ fn prepare_rustc(build_runner: &BuildRunner<'_, '_>, unit: &Unit) -> CargoResult
 
     if is_primary {
         base.env("CARGO_PRIMARY_PACKAGE", "1");
+
+        if sbom {
+            let file_list = std::env::join_paths(build_runner.sbom_output_files(unit)?)?;
+            base.env("CARGO_SBOM_PATH", file_list);
+        }
     }
 
     if unit.target.is_test() || unit.target.is_bench() {
diff --git a/src/cargo/core/compiler/output_sbom.rs b/src/cargo/core/compiler/output_sbom.rs
index 38b63038b21..d0e5d477549 100644
--- a/src/cargo/core/compiler/output_sbom.rs
+++ b/src/cargo/core/compiler/output_sbom.rs
@@ -13,7 +13,7 @@ use serde::Serialize;
 use crate::core::{profiles::Profile, PackageId};
 use crate::core::{Target, TargetKind};
 use crate::util::Rustc;
-use crate::{core::compiler::FileFlavor, CargoResult};
+use crate::CargoResult;
 
 use super::{unit_graph::UnitDep, BuildRunner, CrateType, Unit};
 
@@ -177,21 +177,12 @@ pub fn output_sbom(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> Cargo
 
     let packages = fetch_packages(build_runner, unit);
 
-    // TODO collect build & unit data, then transform into JSON output
-    for output in build_runner
-        .outputs(unit)?
-        .iter()
-        .filter(|o| matches!(o.flavor, FileFlavor::Normal | FileFlavor::Linkable))
-    {
-        if let Some(ref link_dst) = output.hardlink {
-            let output_path = link_dst.with_extension("cargo-sbom.json");
-
-            let sbom = Sbom::new(unit, packages.clone(), rustc.clone());
+    for sbom_output_file in build_runner.sbom_output_files(unit)? {
+        let sbom = Sbom::new(unit, packages.clone(), rustc.clone());
 
-            let mut outfile = BufWriter::new(paths::create(output_path.clone())?);
-            let output = serde_json::to_string_pretty(&sbom)?;
-            write!(outfile, "{}", output)?;
-        }
+        let mut outfile = BufWriter::new(paths::create(sbom_output_file)?);
+        let output = serde_json::to_string(&sbom)?;
+        write!(outfile, "{}", output)?;
     }
 
     Ok(())

From 4f5d0d548735d49f9dc9abe6ae2e4014b3bf4e68 Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Tue, 27 Feb 2024 17:36:59 +0100
Subject: [PATCH 06/22] Add test file to check sbom output

* add test to check project with bin & lib
* extract sbom config into helper function
---
 tests/testsuite/main.rs |  1 +
 tests/testsuite/sbom.rs | 75 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 76 insertions(+)
 create mode 100644 tests/testsuite/sbom.rs

diff --git a/tests/testsuite/main.rs b/tests/testsuite/main.rs
index 271d333e2ef..515fd2ef160 100644
--- a/tests/testsuite/main.rs
+++ b/tests/testsuite/main.rs
@@ -162,6 +162,7 @@ mod rustdoc_extern_html;
 mod rustdocflags;
 mod rustflags;
 mod rustup;
+mod sbom;
 mod script;
 mod search;
 mod shell_quoting;
diff --git a/tests/testsuite/sbom.rs b/tests/testsuite/sbom.rs
new file mode 100644
index 00000000000..117ada595ad
--- /dev/null
+++ b/tests/testsuite/sbom.rs
@@ -0,0 +1,75 @@
+//! Tests for cargo-sbom precursor files.
+
+use cargo_test_support::{basic_bin_manifest, cargo_test, project, ProjectBuilder};
+
+fn configured_project() -> ProjectBuilder {
+    project().file(
+        ".cargo/config.toml",
+        r#"
+            [build]
+            sbom = true
+        "#,
+    )
+}
+
+#[cargo_test]
+fn build_sbom_using_cargo_config() {
+    let p = project()
+        .file(
+            ".cargo/config.toml",
+            r#"
+                [build]
+                sbom = true
+            "#,
+        )
+        .file("Cargo.toml", &basic_bin_manifest("foo"))
+        .file("src/main.rs", r#"fn main() {}"#)
+        .build();
+
+    p.cargo("build").run();
+
+    let file = p.bin("foo").with_extension("cargo-sbom.json");
+    assert!(file.is_file());
+}
+
+#[cargo_test]
+fn build_sbom_using_env_var() {
+    let p = project()
+        .file("Cargo.toml", &basic_bin_manifest("foo"))
+        .file("src/foo.rs", r#"fn main() {}"#)
+        .build();
+
+    p.cargo("build").env("CARGO_BUILD_SBOM", "true").run();
+
+    let file = p.bin("foo").with_extension("cargo-sbom.json");
+    assert!(file.is_file());
+}
+
+#[cargo_test]
+fn build_sbom_project_bin_and_lib() {
+    let p = configured_project()
+        .file(
+            "Cargo.toml",
+            r#"
+                [package]
+                name = "foo"
+                version = "1.2.3"
+                authors = []
+
+                [lib]
+                crate-type = ["rlib"]
+            "#,
+        )
+        .file("src/main.rs", r#"fn main() { let _i = foo::give_five(); }"#)
+        .file("src/lib.rs", r#"pub fn give_five() -> i32 { 5 }"#)
+        .build();
+
+    p.cargo("build").stream().run();
+
+    assert!(p.bin("foo").with_extension("cargo-sbom.json").is_file());
+    assert_eq!(
+        1,
+        p.glob(p.target_debug_dir().join("libfoo.cargo-sbom.json"))
+            .count()
+    );
+}

From 81eee501ab94ed27f3c753cfb3678827f932ee59 Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Mon, 11 Mar 2024 10:28:37 +0100
Subject: [PATCH 07/22] Add build type to dependency

---
 src/cargo/core/compiler/output_sbom.rs | 29 ++++++++++++++++++++------
 1 file changed, 23 insertions(+), 6 deletions(-)

diff --git a/src/cargo/core/compiler/output_sbom.rs b/src/cargo/core/compiler/output_sbom.rs
index d0e5d477549..99e4b30c4c3 100644
--- a/src/cargo/core/compiler/output_sbom.rs
+++ b/src/cargo/core/compiler/output_sbom.rs
@@ -17,6 +17,15 @@ use crate::CargoResult;
 
 use super::{unit_graph::UnitDep, BuildRunner, CrateType, Unit};
 
+#[derive(Serialize, Clone, Debug, Copy)]
+#[serde(rename_all = "kebab-case")]
+enum SbomBuildType {
+    /// A package dependency
+    Normal,
+    /// A build script dependency
+    Build,
+}
+
 /// Typed version of a SBOM format version number.
 pub struct SbomFormatVersion<const V: u32>;
 
@@ -65,12 +74,17 @@ struct SbomPackage {
     package: String,
     version: String,
     features: Vec<String>,
+    build_type: SbomBuildType,
     extern_crate_name: String,
     dependencies: Vec<SbomDependency>,
 }
 
 impl SbomPackage {
-    pub fn new(dep: &UnitDep, dependencies: Vec<SbomDependency>) -> Self {
+    pub fn new(
+        dep: &UnitDep,
+        dependencies: Vec<SbomDependency>,
+        build_type: SbomBuildType,
+    ) -> Self {
         let package_id = dep.unit.pkg.package_id();
         let package = package_id.name().to_string();
         let version = package_id.version().to_string();
@@ -86,6 +100,7 @@ impl SbomPackage {
             package,
             version,
             features,
+            build_type,
             extern_crate_name: dep.extern_crate_name.to_string(),
             dependencies,
         }
@@ -199,18 +214,20 @@ fn fetch_packages(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> Vec<Sb
     let mut visited = BTreeSet::new();
 
     while let Some(package) = queue.pop_first() {
-        // ignore any custom build scripts.
-        if package.unit.mode.is_run_custom_build() {
-            continue;
-        }
         if visited.contains(package) {
             continue;
         }
 
+        let build_type = if package.unit.mode.is_run_custom_build() {
+            SbomBuildType::Build
+        } else {
+            SbomBuildType::Normal
+        };
+
         let mut dependencies: BTreeSet<&UnitDep> = unit_graph[&package.unit].iter().collect();
         let sbom_dependencies = dependencies.iter().map(|dep| (*dep).into()).collect_vec();
 
-        result.push(SbomPackage::new(package, sbom_dependencies));
+        result.push(SbomPackage::new(package, sbom_dependencies, build_type));
 
         visited.insert(package);
 

From f0af7f6b49f3af1df66ff34511df64d3d2523ab4 Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Mon, 11 Mar 2024 12:02:02 +0100
Subject: [PATCH 08/22] Add test to read JSON

Still needs to check output.
---
 tests/testsuite/sbom.rs | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/tests/testsuite/sbom.rs b/tests/testsuite/sbom.rs
index 117ada595ad..c69800c928d 100644
--- a/tests/testsuite/sbom.rs
+++ b/tests/testsuite/sbom.rs
@@ -73,3 +73,29 @@ fn build_sbom_project_bin_and_lib() {
             .count()
     );
 }
+
+#[cargo_test]
+fn build_sbom_with_simple_build_script() {
+    let p = configured_project()
+        .file(
+            "Cargo.toml",
+            r#"
+                [package]
+                name = "foo"
+                version = "0.0.1"
+                authors = []
+                build = "build.rs"
+            "#,
+        )
+        .file("src/main.rs", "#[cfg(foo)] fn main() {}")
+        .file(
+            "build.rs",
+            r#"fn main() { println!("cargo::rustc-cfg=foo"); }"#,
+        )
+        .build();
+
+    p.cargo("build").stream().run();
+
+    let path = p.bin("foo").with_extension("cargo-sbom.json");
+    assert!(path.is_file());
+}

From bbe26068a352bbc28dd7d2eae6b76c5b39f7b1fb Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Mon, 11 Mar 2024 14:23:43 +0100
Subject: [PATCH 09/22] Guard sbom logic behind unstable feature

---
 src/cargo/core/compiler/build_config.rs      |  5 +++++
 src/cargo/core/compiler/mod.rs               |  6 +++---
 src/cargo/core/features.rs                   |  4 +++-
 src/cargo/util/context/mod.rs                |  1 +
 tests/testsuite/cargo/z_help/stdout.term.svg | 22 +++++++++++---------
 tests/testsuite/sbom.rs                      | 17 +++++++++++----
 6 files changed, 37 insertions(+), 18 deletions(-)

diff --git a/src/cargo/core/compiler/build_config.rs b/src/cargo/core/compiler/build_config.rs
index a397d2a924f..d83feefaa9f 100644
--- a/src/cargo/core/compiler/build_config.rs
+++ b/src/cargo/core/compiler/build_config.rs
@@ -104,11 +104,16 @@ impl BuildConfig {
             anyhow::bail!("-Zbuild-std requires --target");
         }
 
+        // If sbom flag is set, it requires the unstable feature
         let sbom = match gctx.get_env_os("CARGO_BUILD_SBOM") {
             Some(sbom) => sbom == "true",
             None => cfg.sbom == Some(true),
         };
 
+        if sbom && !gctx.cli_unstable().sbom {
+            anyhow::bail!("Cargo build config 'sbom' is unstable; pass `-Zsbom` to enable it");
+        }
+
         Ok(BuildConfig {
             requested_kinds,
             jobs,
diff --git a/src/cargo/core/compiler/mod.rs b/src/cargo/core/compiler/mod.rs
index 00e2be1696e..e8029c552f5 100644
--- a/src/cargo/core/compiler/mod.rs
+++ b/src/cargo/core/compiler/mod.rs
@@ -674,9 +674,9 @@ where
 /// completion of other units will be added later in runtime, such as flags
 /// from build scripts.
 fn prepare_rustc(build_runner: &BuildRunner<'_, '_>, unit: &Unit) -> CargoResult<ProcessBuilder> {
+    let gctx = build_runner.bcx.gctx;
     let is_primary = build_runner.is_primary_package(unit);
     let is_workspace = build_runner.bcx.ws.is_member(&unit.pkg);
-    let sbom = build_runner.bcx.build_config.sbom;
 
     let mut base = build_runner
         .compilation
@@ -687,14 +687,14 @@ fn prepare_rustc(build_runner: &BuildRunner<'_, '_>, unit: &Unit) -> CargoResult
     build_deps_args(&mut base, build_runner, unit)?;
     add_cap_lints(build_runner.bcx, unit, &mut base);
     base.args(&unit.rustflags);
-    if build_runner.bcx.gctx.cli_unstable().binary_dep_depinfo {
+    if gctx.cli_unstable().binary_dep_depinfo {
         base.arg("-Z").arg("binary-dep-depinfo");
     }
 
     if is_primary {
         base.env("CARGO_PRIMARY_PACKAGE", "1");
 
-        if sbom {
+        if gctx.cli_unstable().sbom && build_runner.bcx.build_config.sbom {
             let file_list = std::env::join_paths(build_runner.sbom_output_files(unit)?)?;
             base.env("CARGO_SBOM_PATH", file_list);
         }
diff --git a/src/cargo/core/features.rs b/src/cargo/core/features.rs
index c44b8d51eb4..7e777870189 100644
--- a/src/cargo/core/features.rs
+++ b/src/cargo/core/features.rs
@@ -781,6 +781,7 @@ unstable_cli_options!(
     publish_timeout: bool = ("Enable the `publish.timeout` key in .cargo/config.toml file"),
     rustdoc_map: bool = ("Allow passing external documentation mappings to rustdoc"),
     rustdoc_scrape_examples: bool = ("Allows Rustdoc to scrape code examples from reverse-dependencies"),
+    sbom: bool = ("Enable the `sbom` option in build config in .cargo/config.toml file"),
     script: bool = ("Enable support for single-file, `.rs` packages"),
     separate_nightlies: bool,
     skip_rustdoc_fingerprint: bool,
@@ -1285,9 +1286,10 @@ impl CliUnstable {
             "publish-timeout" => self.publish_timeout = parse_empty(k, v)?,
             "rustdoc-map" => self.rustdoc_map = parse_empty(k, v)?,
             "rustdoc-scrape-examples" => self.rustdoc_scrape_examples = parse_empty(k, v)?,
+            "sbom" => self.sbom = parse_empty(k, v)?,
+            "script" => self.script = parse_empty(k, v)?,
             "separate-nightlies" => self.separate_nightlies = parse_empty(k, v)?,
             "skip-rustdoc-fingerprint" => self.skip_rustdoc_fingerprint = parse_empty(k, v)?,
-            "script" => self.script = parse_empty(k, v)?,
             "target-applies-to-host" => self.target_applies_to_host = parse_empty(k, v)?,
             "unstable-options" => self.unstable_options = parse_empty(k, v)?,
             _ => bail!("\
diff --git a/src/cargo/util/context/mod.rs b/src/cargo/util/context/mod.rs
index 23084d086ef..56520220892 100644
--- a/src/cargo/util/context/mod.rs
+++ b/src/cargo/util/context/mod.rs
@@ -2615,6 +2615,7 @@ pub struct CargoBuildConfig {
     // deprecated alias for artifact-dir
     pub out_dir: Option<ConfigRelativePath>,
     pub artifact_dir: Option<ConfigRelativePath>,
+    /// Unstable feature `-Zsbom`.
     pub sbom: Option<bool>,
 }
 
diff --git a/tests/testsuite/cargo/z_help/stdout.term.svg b/tests/testsuite/cargo/z_help/stdout.term.svg
index e5386620e46..1d44d23fb8e 100644
--- a/tests/testsuite/cargo/z_help/stdout.term.svg
+++ b/tests/testsuite/cargo/z_help/stdout.term.svg
@@ -1,4 +1,4 @@
-<svg width="1230px" height="722px" xmlns="http://www.w3.org/2000/svg">
+<svg width="1230px" height="740px" xmlns="http://www.w3.org/2000/svg">
   <style>
     .fg { fill: #AAAAAA }
     .bg { background: #000000 }
@@ -76,23 +76,25 @@
 </tspan>
     <tspan x="10px" y="550px"><tspan>    -Z rustdoc-scrape-examples  Allows Rustdoc to scrape code examples from reverse-dependencies</tspan>
 </tspan>
-    <tspan x="10px" y="568px"><tspan>    -Z script                   Enable support for single-file, `.rs` packages</tspan>
+    <tspan x="10px" y="568px"><tspan>    -Z sbom                     Enable the `sbom` option in build config in .cargo/config.toml file</tspan>
 </tspan>
-    <tspan x="10px" y="586px"><tspan>    -Z target-applies-to-host   Enable the `target-applies-to-host` key in the .cargo/config.toml file</tspan>
+    <tspan x="10px" y="586px"><tspan>    -Z script                   Enable support for single-file, `.rs` packages</tspan>
 </tspan>
-    <tspan x="10px" y="604px"><tspan>    -Z trim-paths               Enable the `trim-paths` option in profiles</tspan>
+    <tspan x="10px" y="604px"><tspan>    -Z target-applies-to-host   Enable the `target-applies-to-host` key in the .cargo/config.toml file</tspan>
 </tspan>
-    <tspan x="10px" y="622px"><tspan>    -Z unstable-options         Allow the usage of unstable options</tspan>
+    <tspan x="10px" y="622px"><tspan>    -Z trim-paths               Enable the `trim-paths` option in profiles</tspan>
 </tspan>
-    <tspan x="10px" y="640px">
+    <tspan x="10px" y="640px"><tspan>    -Z unstable-options         Allow the usage of unstable options</tspan>
 </tspan>
-    <tspan x="10px" y="658px"><tspan>Run with `cargo -Z [FLAG] [COMMAND]`</tspan>
+    <tspan x="10px" y="658px">
 </tspan>
-    <tspan x="10px" y="676px">
+    <tspan x="10px" y="676px"><tspan>Run with `cargo -Z [FLAG] [COMMAND]`</tspan>
 </tspan>
-    <tspan x="10px" y="694px"><tspan>See https://doc.rust-lang.org/nightly/cargo/reference/unstable.html for more information about these flags.</tspan>
+    <tspan x="10px" y="694px">
 </tspan>
-    <tspan x="10px" y="712px">
+    <tspan x="10px" y="712px"><tspan>See https://doc.rust-lang.org/nightly/cargo/reference/unstable.html for more information about these flags.</tspan>
+</tspan>
+    <tspan x="10px" y="730px">
 </tspan>
   </text>
 
diff --git a/tests/testsuite/sbom.rs b/tests/testsuite/sbom.rs
index c69800c928d..ca334cfbf78 100644
--- a/tests/testsuite/sbom.rs
+++ b/tests/testsuite/sbom.rs
@@ -26,7 +26,9 @@ fn build_sbom_using_cargo_config() {
         .file("src/main.rs", r#"fn main() {}"#)
         .build();
 
-    p.cargo("build").run();
+    p.cargo("build -Zsbom")
+        .masquerade_as_nightly_cargo(&["sbom"])
+        .run();
 
     let file = p.bin("foo").with_extension("cargo-sbom.json");
     assert!(file.is_file());
@@ -39,7 +41,10 @@ fn build_sbom_using_env_var() {
         .file("src/foo.rs", r#"fn main() {}"#)
         .build();
 
-    p.cargo("build").env("CARGO_BUILD_SBOM", "true").run();
+    p.cargo("build -Zsbom")
+        .env("CARGO_BUILD_SBOM", "true")
+        .masquerade_as_nightly_cargo(&["sbom"])
+        .run();
 
     let file = p.bin("foo").with_extension("cargo-sbom.json");
     assert!(file.is_file());
@@ -64,7 +69,9 @@ fn build_sbom_project_bin_and_lib() {
         .file("src/lib.rs", r#"pub fn give_five() -> i32 { 5 }"#)
         .build();
 
-    p.cargo("build").stream().run();
+    p.cargo("build -Zsbom")
+        .masquerade_as_nightly_cargo(&["sbom"])
+        .run();
 
     assert!(p.bin("foo").with_extension("cargo-sbom.json").is_file());
     assert_eq!(
@@ -94,7 +101,9 @@ fn build_sbom_with_simple_build_script() {
         )
         .build();
 
-    p.cargo("build").stream().run();
+    p.cargo("build -Zsbom")
+        .masquerade_as_nightly_cargo(&["sbom"])
+        .run();
 
     let path = p.bin("foo").with_extension("cargo-sbom.json");
     assert!(path.is_file());

From 11ef5865407aade9c65e91fa830b303fad082002 Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Fri, 5 Apr 2024 11:00:18 +0200
Subject: [PATCH 10/22] Add test with custom build script

---
 tests/testsuite/sbom.rs | 42 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/tests/testsuite/sbom.rs b/tests/testsuite/sbom.rs
index ca334cfbf78..24d60480764 100644
--- a/tests/testsuite/sbom.rs
+++ b/tests/testsuite/sbom.rs
@@ -108,3 +108,45 @@ fn build_sbom_with_simple_build_script() {
     let path = p.bin("foo").with_extension("cargo-sbom.json");
     assert!(path.is_file());
 }
+
+#[cargo_test]
+fn build_sbom_with_build_dependencies() {
+    let p = configured_project()
+        .file(
+            "Cargo.toml",
+            r#"
+                [package]
+                name = "foo"
+                version = "0.0.1"
+                authors = []
+
+                [dependencies]
+                bar = { path = "./bar" }
+            "#,
+        )
+        .file("src/main.rs", "fn main() { let _i = bar::bar(); }")
+        .file("bar/src/lib.rs", "pub fn bar() -> i32 { 2 }")
+        .file(
+            "bar/Cargo.toml",
+            r#"
+                [package]
+                name = "bar"
+                version = "0.1.0"
+                build = "build.rs"
+
+                [build-dependencies]
+                cc = "1.0.46"
+            "#,
+        )
+        .file(
+            "bar/build.rs",
+            r#"fn main() { println!("cargo::rustc-cfg=foo"); }"#,
+        )
+        .build();
+
+    p.cargo("build -Zsbom")
+        .masquerade_as_nightly_cargo(&["sbom"])
+        .run();
+    let path = p.bin("foo").with_extension("cargo-sbom.json");
+    assert!(path.is_file());
+}

From b6087a43a63bb46968f5abc2048f3dbdced390c2 Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Mon, 6 May 2024 11:22:40 +0200
Subject: [PATCH 11/22] Integrate review feedback

* disable `sbom` config when `-Zsbom` is not passed as unstable option
* refactor tests
* add test
---
 crates/cargo-test-support/src/compare.rs |  2 +-
 src/cargo/core/compiler/build_config.rs  |  6 ++--
 tests/testsuite/sbom.rs                  | 36 ++++++++++++++++++------
 3 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/crates/cargo-test-support/src/compare.rs b/crates/cargo-test-support/src/compare.rs
index e822bb3822c..33731b00d1e 100644
--- a/crates/cargo-test-support/src/compare.rs
+++ b/crates/cargo-test-support/src/compare.rs
@@ -658,7 +658,7 @@ pub(crate) fn match_with_without(
 /// expected JSON objects.
 ///
 /// See [`crate::Execs::with_json`] for more details.
-pub(crate) fn match_json(expected: &str, actual: &str, cwd: Option<&Path>) -> Result<()> {
+pub fn match_json(expected: &str, actual: &str, cwd: Option<&Path>) -> Result<()> {
     let (exp_objs, act_objs) = collect_json_objects(expected, actual)?;
     if exp_objs.len() != act_objs.len() {
         bail!(
diff --git a/src/cargo/core/compiler/build_config.rs b/src/cargo/core/compiler/build_config.rs
index d83feefaa9f..b708c16ea32 100644
--- a/src/cargo/core/compiler/build_config.rs
+++ b/src/cargo/core/compiler/build_config.rs
@@ -105,13 +105,15 @@ impl BuildConfig {
         }
 
         // If sbom flag is set, it requires the unstable feature
-        let sbom = match gctx.get_env_os("CARGO_BUILD_SBOM") {
+        let mut sbom = match gctx.get_env_os("CARGO_BUILD_SBOM") {
             Some(sbom) => sbom == "true",
             None => cfg.sbom == Some(true),
         };
 
         if sbom && !gctx.cli_unstable().sbom {
-            anyhow::bail!("Cargo build config 'sbom' is unstable; pass `-Zsbom` to enable it");
+            gctx.shell()
+                .warn("ignoring 'sbom' config, pass `-Zsbom` to enable it")?;
+            sbom = false;
         }
 
         Ok(BuildConfig {
diff --git a/tests/testsuite/sbom.rs b/tests/testsuite/sbom.rs
index 24d60480764..5cd9201944a 100644
--- a/tests/testsuite/sbom.rs
+++ b/tests/testsuite/sbom.rs
@@ -1,6 +1,9 @@
 //! Tests for cargo-sbom precursor files.
 
-use cargo_test_support::{basic_bin_manifest, cargo_test, project, ProjectBuilder};
+use cargo_test_support::basic_bin_manifest;
+use cargo_test_support::cargo_test;
+use cargo_test_support::project;
+use cargo_test_support::ProjectBuilder;
 
 fn configured_project() -> ProjectBuilder {
     project().file(
@@ -13,15 +16,29 @@ fn configured_project() -> ProjectBuilder {
 }
 
 #[cargo_test]
-fn build_sbom_using_cargo_config() {
-    let p = project()
-        .file(
-            ".cargo/config.toml",
-            r#"
-                [build]
-                sbom = true
-            "#,
+fn build_sbom_without_passing_unstable_flag() {
+    let p = configured_project()
+        .file("Cargo.toml", &basic_bin_manifest("foo"))
+        .file("src/main.rs", r#"fn main() {}"#)
+        .build();
+
+    p.cargo("build")
+        .masquerade_as_nightly_cargo(&["sbom"])
+        .with_stderr_data(
+            "\
+            warning: ignoring 'sbom' config, pass `-Zsbom` to enable it\n\
+            [COMPILING] foo v0.5.0 ([..])\n\
+            [FINISHED] `dev` profile [unoptimized + debuginfo] target(s) in [..]\n",
         )
+        .run();
+
+    let file = p.bin("foo").with_extension("cargo-sbom.json");
+    assert!(!file.exists());
+}
+
+#[cargo_test]
+fn build_sbom_using_cargo_config() {
+    let p = configured_project()
         .file("Cargo.toml", &basic_bin_manifest("foo"))
         .file("src/main.rs", r#"fn main() {}"#)
         .build();
@@ -147,6 +164,7 @@ fn build_sbom_with_build_dependencies() {
     p.cargo("build -Zsbom")
         .masquerade_as_nightly_cargo(&["sbom"])
         .run();
+
     let path = p.bin("foo").with_extension("cargo-sbom.json");
     assert!(path.is_file());
 }

From bb013b193c87f8e3623ba9e3095255f36e6ae5fd Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Mon, 6 May 2024 14:21:57 +0200
Subject: [PATCH 12/22] Expand end-to-end tests

This expands the tests to reflect end-to-end tests by comparing the
generated JSON output files with expected strings.

* add test helper to compare actual & expected JSON content
* refactor setup of packages in test
---
 tests/testsuite/sbom.rs | 210 ++++++++++++++++++++++++++++++++++++----
 1 file changed, 189 insertions(+), 21 deletions(-)

diff --git a/tests/testsuite/sbom.rs b/tests/testsuite/sbom.rs
index 5cd9201944a..bee7be4843f 100644
--- a/tests/testsuite/sbom.rs
+++ b/tests/testsuite/sbom.rs
@@ -1,10 +1,28 @@
 //! Tests for cargo-sbom precursor files.
 
+use std::path::PathBuf;
+
 use cargo_test_support::basic_bin_manifest;
 use cargo_test_support::cargo_test;
+use cargo_test_support::compare::match_json;
 use cargo_test_support::project;
+use cargo_test_support::registry::Package;
 use cargo_test_support::ProjectBuilder;
 
+/// Helper function to compare expected JSON output against actual.
+#[track_caller]
+fn assert_json_output(actual_json_file: PathBuf, expected_json: &str) {
+    assert!(actual_json_file.is_file());
+    let actual_json = std::fs::read_to_string(actual_json_file).expect("Failed to read file");
+    let actual_json: serde_json::Value =
+        serde_json::from_str(actual_json.as_str()).expect("Failed to parse JSON");
+    let actual_json = serde_json::to_string(&actual_json).expect("Failed to convert JSON");
+
+    if let Err(error) = match_json(expected_json, &actual_json, None) {
+        panic!("{}", error.to_string());
+    }
+}
+
 fn configured_project() -> ProjectBuilder {
     project().file(
         ".cargo/config.toml",
@@ -48,7 +66,51 @@ fn build_sbom_using_cargo_config() {
         .run();
 
     let file = p.bin("foo").with_extension("cargo-sbom.json");
-    assert!(file.is_file());
+    assert_json_output(
+        file,
+        r#"
+        {
+            "format_version": 1,
+            "package_id": "path+file:///[..]/foo#0.5.0",
+            "name": "foo",
+            "version": "0.5.0",
+            "source": "[ROOT]/foo",
+            "target": {
+                "kind": [
+                    "bin"
+                ],
+                "crate_type": "bin",
+                "name": "foo",
+                "edition": "2015"
+            },
+            "profile": {
+                "name": "dev",
+                "opt_level": "0",
+                "lto": "false",
+                "codegen_backend": null,
+                "codegen_units": null,
+                "debuginfo": 2,
+                "split_debuginfo": "{...}",
+                "debug_assertions": true,
+                "overflow_checks": true,
+                "rpath": false,
+                "incremental": false,
+                "panic": "unwind",
+                "strip": {
+                    "deferred": "None"
+                }
+            },
+            "packages": [],
+            "features": [],
+            "rustc": {
+                "version": "[..]",
+                "wrapper": null,
+                "commit_hash": "[..]",
+                "host": "[..]"
+            }
+        }
+        "#,
+    );
 }
 
 #[cargo_test]
@@ -92,8 +154,8 @@ fn build_sbom_project_bin_and_lib() {
 
     assert!(p.bin("foo").with_extension("cargo-sbom.json").is_file());
     assert_eq!(
-        1,
-        p.glob(p.target_debug_dir().join("libfoo.cargo-sbom.json"))
+        2,
+        p.glob(p.target_debug_dir().join("*.cargo-sbom.json"))
             .count()
     );
 }
@@ -128,23 +190,11 @@ fn build_sbom_with_simple_build_script() {
 
 #[cargo_test]
 fn build_sbom_with_build_dependencies() {
-    let p = configured_project()
+    Package::new("baz", "0.1.0").publish();
+    Package::new("bar", "0.1.0")
+        .build_dep("baz", "0.1.0")
         .file(
             "Cargo.toml",
-            r#"
-                [package]
-                name = "foo"
-                version = "0.0.1"
-                authors = []
-
-                [dependencies]
-                bar = { path = "./bar" }
-            "#,
-        )
-        .file("src/main.rs", "fn main() { let _i = bar::bar(); }")
-        .file("bar/src/lib.rs", "pub fn bar() -> i32 { 2 }")
-        .file(
-            "bar/Cargo.toml",
             r#"
                 [package]
                 name = "bar"
@@ -152,13 +202,30 @@ fn build_sbom_with_build_dependencies() {
                 build = "build.rs"
 
                 [build-dependencies]
-                cc = "1.0.46"
+                baz = "0.1.0"
             "#,
         )
+        .file("src/lib.rs", "pub fn bar() -> i32 { 2 }")
         .file(
-            "bar/build.rs",
+            "build.rs",
             r#"fn main() { println!("cargo::rustc-cfg=foo"); }"#,
         )
+        .publish();
+
+    let p = configured_project()
+        .file(
+            "Cargo.toml",
+            r#"
+                [package]
+                name = "foo"
+                version = "0.0.1"
+                authors = []
+
+                [dependencies]
+                bar = "0.1.0"
+            "#,
+        )
+        .file("src/main.rs", "fn main() { let _i = bar::bar(); }")
         .build();
 
     p.cargo("build -Zsbom")
@@ -166,5 +233,106 @@ fn build_sbom_with_build_dependencies() {
         .run();
 
     let path = p.bin("foo").with_extension("cargo-sbom.json");
-    assert!(path.is_file());
+    assert_json_output(
+        path,
+        r#"
+        {
+            "format_version": 1,
+            "package_id": "path+file:///[..]/foo#0.0.1",
+            "name": "foo",
+            "version": "0.0.1",
+            "source": "[ROOT]/foo",
+            "target": {
+                "kind": [
+                    "bin"
+                ],
+                "crate_type": "bin",
+                "name": "foo",
+                "edition": "2015"
+            },
+            "profile": {
+                "name": "dev",
+                "opt_level": "0",
+                "lto": "false",
+                "codegen_backend": null,
+                "codegen_units": null,
+                "debuginfo": 2,
+                "split_debuginfo": "{...}",
+                "debug_assertions": true,
+                "overflow_checks": true,
+                "rpath": false,
+                "incremental": false,
+                "panic": "unwind",
+                "strip": {
+                    "deferred": "None"
+                }
+            },
+            "packages": [
+                {
+                    "package_id": "bar 0.1.0 (registry+[..])",
+                    "package": "bar",
+                    "version": "0.1.0",
+                    "features": [],
+                    "build_type": "normal",
+                    "extern_crate_name": "bar",
+                    "dependencies": [
+                        {
+                            "name": "bar",
+                            "package_id": "bar 0.1.0 (registry+[..])",
+                            "version": "0.1.0",
+                            "features": []
+                        }
+                    ]
+                },
+                {
+                    "package_id": "bar 0.1.0 (registry+[..])",
+                    "package": "bar",
+                    "version": "0.1.0",
+                    "features": [],
+                    "build_type": "build",
+                    "extern_crate_name": "build_script_build",
+                    "dependencies": [
+                        {
+                            "name": "bar",
+                            "package_id": "bar 0.1.0 (registry+[..])",
+                            "version": "0.1.0",
+                            "features": []
+                        }
+                    ]
+                },
+                {
+                    "package_id": "bar 0.1.0 (registry+[..])",
+                    "package": "bar",
+                    "version": "0.1.0",
+                    "features": [],
+                    "build_type": "normal",
+                    "extern_crate_name": "build_script_build",
+                    "dependencies": [
+                        {
+                            "name": "baz",
+                            "package_id": "baz 0.1.0 (registry+[..])",
+                            "version": "0.1.0",
+                            "features": []
+                        }
+                    ]
+                },
+                {
+                    "package_id": "baz 0.1.0 (registry+[..])",
+                    "package": "baz",
+                    "version": "0.1.0",
+                    "features": [],
+                    "build_type": "normal",
+                    "extern_crate_name": "baz",
+                    "dependencies": []
+                }
+            ],
+            "features": [],
+            "rustc": {
+                "version": "[..]",
+                "wrapper": null,
+                "commit_hash": "[..]",
+                "host": "[..]"
+            }
+        }"#,
+    );
 }

From e70a2c74af62ef27a39be16f7e6db69ed583bb67 Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Mon, 6 May 2024 15:42:18 +0200
Subject: [PATCH 13/22] Add 'sbom' section to unstable features doc

---
 src/doc/src/reference/unstable.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/src/doc/src/reference/unstable.md b/src/doc/src/reference/unstable.md
index 18be45fc2b0..d33a7ac519d 100644
--- a/src/doc/src/reference/unstable.md
+++ b/src/doc/src/reference/unstable.md
@@ -74,6 +74,7 @@ Each new feature described below should explain how to use it.
     * [public-dependency](#public-dependency) --- Allows dependencies to be classified as either public or private.
     * [msrv-policy](#msrv-policy) --- MSRV-aware resolver and version selection
     * [precise-pre-release](#precise-pre-release) --- Allows pre-release versions to be selected with `update --precise`
+    * [sbom](#sbom) --- Generates SBOM pre-cursor files for compiled artifacts
     * [update-breaking](#update-breaking) --- Allows upgrading to breaking versions with `update --breaking`
 * Output behavior
     * [artifact-dir](#artifact-dir) --- Adds a directory where artifacts are copied to.
@@ -381,6 +382,29 @@ It's possible to update `my-dependency` to a pre-release with `update -Zunstable
 This is because `0.1.2-pre.0` is considered compatible with `0.1.1`.
 It would not be possible to upgrade to `0.2.0-pre.0` from `0.1.1` in the same way.
 
+## sbom
+* Tracking Issue: [#13709](https://github.com/rust-lang/cargo/pull/13709)
+* RFC: [#3553](https://github.com/rust-lang/rfcs/pull/3553)
+
+The `sbom` build config allows to generate so-called SBOM pre-cursor files
+alongside each compiled artifact. A Software Bill Of Material (SBOM) tool can
+incorporate these generated files to collect important information from the cargo
+build process that are difficult or impossible to obtain in another way.
+
+To enable this feature either set the `sbom` field in the `.cargo/config.toml`
+
+```toml
+[build]
+sbom = true
+```
+
+or set the `CARGO_BUILD_SBOM` environment variable to `true`. The functionality
+is available behind the flag `-Z sbom`.
+
+The generated output files are in JSON format and follow the naming scheme
+`<artifact>.cargo-sbom.json`. The JSON file contains information about dependencies,
+target, features and the used `rustc` compiler.
+
 ## update-breaking
 
 * Tracking Issue: [#12425](https://github.com/rust-lang/cargo/issues/12425)

From 7ffc19a61345041ef409df3e68fef3669cb680ba Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Mon, 13 May 2024 11:28:20 +0200
Subject: [PATCH 14/22] Append SBOM file suffix instead of replacing

Instead of replacing the file extension, the `.cargo-sbom.json` suffix
is appended to the output file. This is to keep existing file extensions
in place.

* refactor logic to set `sbom` property from build config
* expand build script related test to check JSON output
---
 src/cargo/core/compiler/build_config.rs     | 17 +++--
 src/cargo/core/compiler/build_runner/mod.rs | 10 ++-
 tests/testsuite/sbom.rs                     | 71 +++++++++++++++++++++
 3 files changed, 88 insertions(+), 10 deletions(-)

diff --git a/src/cargo/core/compiler/build_config.rs b/src/cargo/core/compiler/build_config.rs
index b708c16ea32..ca9d1ab15ba 100644
--- a/src/cargo/core/compiler/build_config.rs
+++ b/src/cargo/core/compiler/build_config.rs
@@ -105,17 +105,16 @@ impl BuildConfig {
         }
 
         // If sbom flag is set, it requires the unstable feature
-        let mut sbom = match gctx.get_env_os("CARGO_BUILD_SBOM") {
-            Some(sbom) => sbom == "true",
-            None => cfg.sbom == Some(true),
+        let sbom = match (cfg.sbom, gctx.cli_unstable().sbom) {
+            (Some(sbom), true) => sbom,
+            (Some(_), false) => {
+                gctx.shell()
+                    .warn("ignoring 'sbom' config, pass `-Zsbom` to enable it")?;
+                false
+            }
+            (None, _) => false,
         };
 
-        if sbom && !gctx.cli_unstable().sbom {
-            gctx.shell()
-                .warn("ignoring 'sbom' config, pass `-Zsbom` to enable it")?;
-            sbom = false;
-        }
-
         Ok(BuildConfig {
             requested_kinds,
             jobs,
diff --git a/src/cargo/core/compiler/build_runner/mod.rs b/src/cargo/core/compiler/build_runner/mod.rs
index 8b5a8e4f7c2..380e319811a 100644
--- a/src/cargo/core/compiler/build_runner/mod.rs
+++ b/src/cargo/core/compiler/build_runner/mod.rs
@@ -427,13 +427,21 @@ impl<'a, 'gctx> BuildRunner<'a, 'gctx> {
     ///
     /// Only call this function when `sbom` is active.
     pub fn sbom_output_files(&self, unit: &Unit) -> CargoResult<Vec<PathBuf>> {
+        const SBOM_FILE_EXTENSION: &str = ".cargo-sbom.json";
+
+        fn append_sbom_suffix(link: &PathBuf, suffix: &str) -> PathBuf {
+            let mut link_buf = link.clone().into_os_string();
+            link_buf.push(suffix);
+            PathBuf::from(link_buf)
+        }
+
         assert!(self.bcx.build_config.sbom);
         let files = self
             .outputs(unit)?
             .iter()
             .filter(|o| matches!(o.flavor, FileFlavor::Normal | FileFlavor::Linkable))
             .filter_map(|output_file| output_file.hardlink.as_ref())
-            .map(|link_dst| link_dst.with_extension("cargo-sbom.json"))
+            .map(|link| append_sbom_suffix(link, SBOM_FILE_EXTENSION))
             .collect::<Vec<_>>();
         Ok(files)
     }
diff --git a/tests/testsuite/sbom.rs b/tests/testsuite/sbom.rs
index bee7be4843f..4230f38d911 100644
--- a/tests/testsuite/sbom.rs
+++ b/tests/testsuite/sbom.rs
@@ -186,6 +186,77 @@ fn build_sbom_with_simple_build_script() {
 
     let path = p.bin("foo").with_extension("cargo-sbom.json");
     assert!(path.is_file());
+
+    assert_json_output(
+        path,
+        r#"
+        {
+            "format_version": 1,
+            "package_id": "path+file:///[..]/foo#0.0.1",
+            "name": "foo",
+            "version": "0.0.1",
+            "source": "[ROOT]/foo",
+            "target": {
+                "kind": [
+                    "bin"
+                ],
+                "crate_type": "bin",
+                "name": "foo",
+                "edition": "2015"
+            },
+            "profile": {
+                "name": "dev",
+                "opt_level": "0",
+                "lto": "false",
+                "codegen_backend": null,
+                "codegen_units": null,
+                "debuginfo": 2,
+                "split_debuginfo": "{...}",
+                "debug_assertions": true,
+                "overflow_checks": true,
+                "rpath": false,
+                "incremental": false,
+                "panic": "unwind",
+                "strip": {
+                    "deferred": "None"
+                }
+            },
+            "packages": [
+                {
+                    "build_type": "build",
+                    "dependencies": [
+                        {
+                            "features": [],
+                            "name": "foo",
+                            "package_id": "foo 0.0.1 (path+file:///[..]/foo)",
+                            "version": "0.0.1"
+                        }
+                    ],
+                    "extern_crate_name": "build_script_build",
+                    "features": [],
+                    "package": "foo",
+                    "package_id": "foo 0.0.1 (path+file:///[..]/foo)",
+                    "version": "0.0.1"
+                },
+                {
+                    "package_id": "foo 0.0.1 (path+file:///[..]/foo)",
+                    "package": "foo",
+                    "version": "0.0.1",
+                    "features": [],
+                    "build_type": "normal",
+                    "extern_crate_name": "build_script_build",
+                    "dependencies": []
+                }
+            ],
+            "features": [],
+            "rustc": {
+                "version": "[..]",
+                "wrapper": null,
+                "commit_hash": "[..]",
+                "host": "[..]"
+            }
+        }"#,
+    );
 }
 
 #[cargo_test]

From 1c5cafb4f8c92d91e23077a8448ba7a56f357bdf Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Mon, 13 May 2024 14:06:19 +0200
Subject: [PATCH 15/22] Integrate review feedback

* use `PackageIdSpec` instead of only `PackageId` in SBOM output
* change `version` of a dependency to `Option<Version>`
* output `Vec<CrateType>` instead of only the first found crate type
* output rustc workspace wrapper
* update 'warning' string in test using `[WARNING]`
* use `serde_json::to_writer` to serialize SBOM
* set sbom suffix in tests explicitely, instead of using `with_extension`
---
 src/cargo/core/compiler/output_sbom.rs | 32 ++++++------
 src/doc/src/reference/unstable.md      |  3 ++
 tests/testsuite/sbom.rs                | 69 +++++++++++++++++---------
 3 files changed, 66 insertions(+), 38 deletions(-)

diff --git a/src/cargo/core/compiler/output_sbom.rs b/src/cargo/core/compiler/output_sbom.rs
index 99e4b30c4c3..5c467693a3c 100644
--- a/src/cargo/core/compiler/output_sbom.rs
+++ b/src/cargo/core/compiler/output_sbom.rs
@@ -2,15 +2,16 @@
 //! See [`output_sbom`] for more.
 
 use std::collections::BTreeSet;
-use std::io::{BufWriter, Write};
+use std::io::BufWriter;
 use std::path::PathBuf;
 
 use cargo_util::paths::{self};
 use cargo_util_schemas::core::PackageIdSpec;
 use itertools::Itertools;
+use semver::Version;
 use serde::Serialize;
 
-use crate::core::{profiles::Profile, PackageId};
+use crate::core::profiles::Profile;
 use crate::core::{Target, TargetKind};
 use crate::util::Rustc;
 use crate::CargoResult;
@@ -42,16 +43,16 @@ impl<const V: u32> Serialize for SbomFormatVersion<V> {
 #[derive(Serialize, Clone, Debug)]
 struct SbomDependency {
     name: String,
-    package_id: PackageId,
-    version: String,
+    package_id: PackageIdSpec,
+    version: Option<Version>,
     features: Vec<String>,
 }
 
 impl From<&UnitDep> for SbomDependency {
     fn from(dep: &UnitDep) -> Self {
-        let package_id = dep.unit.pkg.package_id();
+        let package_id = dep.unit.pkg.package_id().to_spec();
         let name = package_id.name().to_string();
-        let version = package_id.version().to_string();
+        let version = package_id.version();
         let features = dep
             .unit
             .features
@@ -70,9 +71,9 @@ impl From<&UnitDep> for SbomDependency {
 
 #[derive(Serialize, Clone, Debug)]
 struct SbomPackage {
-    package_id: PackageId,
+    package_id: PackageIdSpec,
     package: String,
-    version: String,
+    version: Option<Version>,
     features: Vec<String>,
     build_type: SbomBuildType,
     extern_crate_name: String,
@@ -85,9 +86,9 @@ impl SbomPackage {
         dependencies: Vec<SbomDependency>,
         build_type: SbomBuildType,
     ) -> Self {
-        let package_id = dep.unit.pkg.package_id();
+        let package_id = dep.unit.pkg.package_id().to_spec();
         let package = package_id.name().to_string();
-        let version = package_id.version().to_string();
+        let version = package_id.version();
         let features = dep
             .unit
             .features
@@ -110,7 +111,7 @@ impl SbomPackage {
 #[derive(Serialize)]
 struct SbomTarget {
     kind: TargetKind,
-    crate_type: Option<CrateType>,
+    crate_types: Vec<CrateType>,
     name: String,
     edition: String,
 }
@@ -119,7 +120,7 @@ impl From<&Target> for SbomTarget {
     fn from(target: &Target) -> Self {
         SbomTarget {
             kind: target.kind().clone(),
-            crate_type: target.kind().rustc_crate_types().first().cloned(),
+            crate_types: target.kind().rustc_crate_types().clone(),
             name: target.name().to_string(),
             edition: target.edition().to_string(),
         }
@@ -130,6 +131,7 @@ impl From<&Target> for SbomTarget {
 struct SbomRustc {
     version: String,
     wrapper: Option<PathBuf>,
+    workspace_wrapper: Option<PathBuf>,
     commit_hash: Option<String>,
     host: String,
 }
@@ -139,6 +141,7 @@ impl From<&Rustc> for SbomRustc {
         Self {
             version: rustc.version.to_string(),
             wrapper: rustc.wrapper.clone(),
+            workspace_wrapper: rustc.workspace_wrapper.clone(),
             commit_hash: rustc.commit_hash.clone(),
             host: rustc.host.to_string(),
         }
@@ -195,9 +198,8 @@ pub fn output_sbom(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> Cargo
     for sbom_output_file in build_runner.sbom_output_files(unit)? {
         let sbom = Sbom::new(unit, packages.clone(), rustc.clone());
 
-        let mut outfile = BufWriter::new(paths::create(sbom_output_file)?);
-        let output = serde_json::to_string(&sbom)?;
-        write!(outfile, "{}", output)?;
+        let outfile = BufWriter::new(paths::create(sbom_output_file)?);
+        serde_json::to_writer(outfile, &sbom)?;
     }
 
     Ok(())
diff --git a/src/doc/src/reference/unstable.md b/src/doc/src/reference/unstable.md
index d33a7ac519d..60e64989e18 100644
--- a/src/doc/src/reference/unstable.md
+++ b/src/doc/src/reference/unstable.md
@@ -394,6 +394,9 @@ build process that are difficult or impossible to obtain in another way.
 To enable this feature either set the `sbom` field in the `.cargo/config.toml`
 
 ```toml
+[unstable]
+sbom = true
+
 [build]
 sbom = true
 ```
diff --git a/tests/testsuite/sbom.rs b/tests/testsuite/sbom.rs
index 4230f38d911..fb967efc098 100644
--- a/tests/testsuite/sbom.rs
+++ b/tests/testsuite/sbom.rs
@@ -23,6 +23,14 @@ fn assert_json_output(actual_json_file: PathBuf, expected_json: &str) {
     }
 }
 
+const SBOM_FILE_EXTENSION: &str = ".cargo-sbom.json";
+
+fn with_sbom_suffix(link: &PathBuf) -> PathBuf {
+    let mut link_buf = link.clone().into_os_string();
+    link_buf.push(SBOM_FILE_EXTENSION);
+    PathBuf::from(link_buf)
+}
+
 fn configured_project() -> ProjectBuilder {
     project().file(
         ".cargo/config.toml",
@@ -44,13 +52,13 @@ fn build_sbom_without_passing_unstable_flag() {
         .masquerade_as_nightly_cargo(&["sbom"])
         .with_stderr_data(
             "\
-            warning: ignoring 'sbom' config, pass `-Zsbom` to enable it\n\
+            [WARNING] ignoring 'sbom' config, pass `-Zsbom` to enable it\n\
             [COMPILING] foo v0.5.0 ([..])\n\
             [FINISHED] `dev` profile [unoptimized + debuginfo] target(s) in [..]\n",
         )
         .run();
 
-    let file = p.bin("foo").with_extension("cargo-sbom.json");
+    let file = with_sbom_suffix(&p.bin("foo"));
     assert!(!file.exists());
 }
 
@@ -65,7 +73,7 @@ fn build_sbom_using_cargo_config() {
         .masquerade_as_nightly_cargo(&["sbom"])
         .run();
 
-    let file = p.bin("foo").with_extension("cargo-sbom.json");
+    let file = with_sbom_suffix(&p.bin("foo"));
     assert_json_output(
         file,
         r#"
@@ -79,7 +87,9 @@ fn build_sbom_using_cargo_config() {
                 "kind": [
                     "bin"
                 ],
-                "crate_type": "bin",
+                "crate_types": [
+                    "bin"
+                ],
                 "name": "foo",
                 "edition": "2015"
             },
@@ -105,6 +115,7 @@ fn build_sbom_using_cargo_config() {
             "rustc": {
                 "version": "[..]",
                 "wrapper": null,
+                "workspace_wrapper": null,
                 "commit_hash": "[..]",
                 "host": "[..]"
             }
@@ -125,7 +136,7 @@ fn build_sbom_using_env_var() {
         .masquerade_as_nightly_cargo(&["sbom"])
         .run();
 
-    let file = p.bin("foo").with_extension("cargo-sbom.json");
+    let file = with_sbom_suffix(&p.bin("foo"));
     assert!(file.is_file());
 }
 
@@ -152,7 +163,7 @@ fn build_sbom_project_bin_and_lib() {
         .masquerade_as_nightly_cargo(&["sbom"])
         .run();
 
-    assert!(p.bin("foo").with_extension("cargo-sbom.json").is_file());
+    assert!(with_sbom_suffix(&p.bin("foo")).is_file());
     assert_eq!(
         2,
         p.glob(p.target_debug_dir().join("*.cargo-sbom.json"))
@@ -176,7 +187,10 @@ fn build_sbom_with_simple_build_script() {
         .file("src/main.rs", "#[cfg(foo)] fn main() {}")
         .file(
             "build.rs",
-            r#"fn main() { println!("cargo::rustc-cfg=foo"); }"#,
+            r#"fn main() {
+                println!("cargo::rustc-check-cfg=cfg(foo)");
+                println!("cargo::rustc-cfg=foo");
+            }"#,
         )
         .build();
 
@@ -184,7 +198,7 @@ fn build_sbom_with_simple_build_script() {
         .masquerade_as_nightly_cargo(&["sbom"])
         .run();
 
-    let path = p.bin("foo").with_extension("cargo-sbom.json");
+    let path = with_sbom_suffix(&p.bin("foo"));
     assert!(path.is_file());
 
     assert_json_output(
@@ -192,7 +206,7 @@ fn build_sbom_with_simple_build_script() {
         r#"
         {
             "format_version": 1,
-            "package_id": "path+file:///[..]/foo#0.0.1",
+            "package_id": "path+file://[..]/foo#0.0.1",
             "name": "foo",
             "version": "0.0.1",
             "source": "[ROOT]/foo",
@@ -200,7 +214,9 @@ fn build_sbom_with_simple_build_script() {
                 "kind": [
                     "bin"
                 ],
-                "crate_type": "bin",
+                "crate_types": [
+                    "bin"
+                ],
                 "name": "foo",
                 "edition": "2015"
             },
@@ -228,18 +244,18 @@ fn build_sbom_with_simple_build_script() {
                         {
                             "features": [],
                             "name": "foo",
-                            "package_id": "foo 0.0.1 (path+file:///[..]/foo)",
+                            "package_id": "path+file://[..]/foo#0.0.1",
                             "version": "0.0.1"
                         }
                     ],
                     "extern_crate_name": "build_script_build",
                     "features": [],
                     "package": "foo",
-                    "package_id": "foo 0.0.1 (path+file:///[..]/foo)",
+                    "package_id": "path+file://[..]/foo#0.0.1",
                     "version": "0.0.1"
                 },
                 {
-                    "package_id": "foo 0.0.1 (path+file:///[..]/foo)",
+                    "package_id": "path+file://[..]/foo#0.0.1",
                     "package": "foo",
                     "version": "0.0.1",
                     "features": [],
@@ -252,6 +268,7 @@ fn build_sbom_with_simple_build_script() {
             "rustc": {
                 "version": "[..]",
                 "wrapper": null,
+                "workspace_wrapper": null,
                 "commit_hash": "[..]",
                 "host": "[..]"
             }
@@ -279,7 +296,10 @@ fn build_sbom_with_build_dependencies() {
         .file("src/lib.rs", "pub fn bar() -> i32 { 2 }")
         .file(
             "build.rs",
-            r#"fn main() { println!("cargo::rustc-cfg=foo"); }"#,
+            r#"fn main() {
+                println!("cargo::rustc-check-cfg=cfg(foo)");
+                println!("cargo::rustc-cfg=foo");
+            }"#,
         )
         .publish();
 
@@ -303,7 +323,7 @@ fn build_sbom_with_build_dependencies() {
         .masquerade_as_nightly_cargo(&["sbom"])
         .run();
 
-    let path = p.bin("foo").with_extension("cargo-sbom.json");
+    let path = with_sbom_suffix(&p.bin("foo"));
     assert_json_output(
         path,
         r#"
@@ -317,7 +337,9 @@ fn build_sbom_with_build_dependencies() {
                 "kind": [
                     "bin"
                 ],
-                "crate_type": "bin",
+                "crate_types": [
+                    "bin"
+                ],
                 "name": "foo",
                 "edition": "2015"
             },
@@ -340,7 +362,7 @@ fn build_sbom_with_build_dependencies() {
             },
             "packages": [
                 {
-                    "package_id": "bar 0.1.0 (registry+[..])",
+                    "package_id": "registry+[..]#bar@0.1.0",
                     "package": "bar",
                     "version": "0.1.0",
                     "features": [],
@@ -349,14 +371,14 @@ fn build_sbom_with_build_dependencies() {
                     "dependencies": [
                         {
                             "name": "bar",
-                            "package_id": "bar 0.1.0 (registry+[..])",
+                            "package_id": "registry+[..]#bar@0.1.0",
                             "version": "0.1.0",
                             "features": []
                         }
                     ]
                 },
                 {
-                    "package_id": "bar 0.1.0 (registry+[..])",
+                    "package_id": "registry+[..]#bar@0.1.0",
                     "package": "bar",
                     "version": "0.1.0",
                     "features": [],
@@ -365,14 +387,14 @@ fn build_sbom_with_build_dependencies() {
                     "dependencies": [
                         {
                             "name": "bar",
-                            "package_id": "bar 0.1.0 (registry+[..])",
+                            "package_id": "registry+[..]#bar@0.1.0",
                             "version": "0.1.0",
                             "features": []
                         }
                     ]
                 },
                 {
-                    "package_id": "bar 0.1.0 (registry+[..])",
+                    "package_id": "registry+[..]#bar@0.1.0",
                     "package": "bar",
                     "version": "0.1.0",
                     "features": [],
@@ -381,14 +403,14 @@ fn build_sbom_with_build_dependencies() {
                     "dependencies": [
                         {
                             "name": "baz",
-                            "package_id": "baz 0.1.0 (registry+[..])",
+                            "package_id": "registry+[..]#baz@0.1.0",
                             "version": "0.1.0",
                             "features": []
                         }
                     ]
                 },
                 {
-                    "package_id": "baz 0.1.0 (registry+[..])",
+                    "package_id": "registry+[..]#baz@0.1.0",
                     "package": "baz",
                     "version": "0.1.0",
                     "features": [],
@@ -401,6 +423,7 @@ fn build_sbom_with_build_dependencies() {
             "rustc": {
                 "version": "[..]",
                 "wrapper": null,
+                "workspace_wrapper": null,
                 "commit_hash": "[..]",
                 "host": "[..]"
             }

From 249a8f68dded5f18a330544da9b65e39f619ba9c Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Tue, 14 May 2024 10:19:37 +0200
Subject: [PATCH 16/22] Output additional fields to JSON

In case a unit's profile differs from the profile information on root
level, it's added to the package information to the JSON output.

The verbose output for `rustc -vV` is also written to the `rustc` field
in the SBOM.

* rename `fetch_packages` to `collect_packages`
* update JSON in tests to include profile information
---
 src/cargo/core/compiler/output_sbom.rs |  25 +++++-
 tests/testsuite/sbom.rs                | 102 +++++++++++++++++++++++--
 2 files changed, 117 insertions(+), 10 deletions(-)

diff --git a/src/cargo/core/compiler/output_sbom.rs b/src/cargo/core/compiler/output_sbom.rs
index 5c467693a3c..1afc16e8d72 100644
--- a/src/cargo/core/compiler/output_sbom.rs
+++ b/src/cargo/core/compiler/output_sbom.rs
@@ -73,6 +73,10 @@ impl From<&UnitDep> for SbomDependency {
 struct SbomPackage {
     package_id: PackageIdSpec,
     package: String,
+    /// A profile can be overriden for individual packages
+    ///
+    /// See <https://doc.rust-lang.org/nightly/cargo/reference/profiles.html#overrides>
+    profile: Option<Profile>,
     version: Option<Version>,
     features: Vec<String>,
     build_type: SbomBuildType,
@@ -85,9 +89,15 @@ impl SbomPackage {
         dep: &UnitDep,
         dependencies: Vec<SbomDependency>,
         build_type: SbomBuildType,
+        root_profile: &Profile,
     ) -> Self {
         let package_id = dep.unit.pkg.package_id().to_spec();
         let package = package_id.name().to_string();
+        let profile = if &dep.unit.profile != root_profile {
+            Some(dep.unit.profile.clone())
+        } else {
+            None
+        };
         let version = package_id.version();
         let features = dep
             .unit
@@ -99,6 +109,7 @@ impl SbomPackage {
         Self {
             package_id,
             package,
+            profile,
             version,
             features,
             build_type,
@@ -134,6 +145,7 @@ struct SbomRustc {
     workspace_wrapper: Option<PathBuf>,
     commit_hash: Option<String>,
     host: String,
+    verbose_version: String,
 }
 
 impl From<&Rustc> for SbomRustc {
@@ -144,6 +156,7 @@ impl From<&Rustc> for SbomRustc {
             workspace_wrapper: rustc.workspace_wrapper.clone(),
             commit_hash: rustc.commit_hash.clone(),
             host: rustc.host.to_string(),
+            verbose_version: rustc.verbose_version.clone(),
         }
     }
 }
@@ -193,7 +206,7 @@ pub fn output_sbom(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> Cargo
     let bcx = build_runner.bcx;
     let rustc: SbomRustc = bcx.rustc().into();
 
-    let packages = fetch_packages(build_runner, unit);
+    let packages = collect_packages(build_runner, unit);
 
     for sbom_output_file in build_runner.sbom_output_files(unit)? {
         let sbom = Sbom::new(unit, packages.clone(), rustc.clone());
@@ -207,9 +220,10 @@ pub fn output_sbom(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> Cargo
 
 /// Fetch all dependencies, including transitive ones. A dependency can also appear multiple times
 /// if it's included with different versions.
-fn fetch_packages(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> Vec<SbomPackage> {
+fn collect_packages(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> Vec<SbomPackage> {
     let unit_graph = &build_runner.bcx.unit_graph;
     let root_deps = build_runner.unit_deps(unit);
+    let root_profile = &unit.profile;
 
     let mut result = Vec::new();
     let mut queue: BTreeSet<&UnitDep> = root_deps.iter().collect();
@@ -229,7 +243,12 @@ fn fetch_packages(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> Vec<Sb
         let mut dependencies: BTreeSet<&UnitDep> = unit_graph[&package.unit].iter().collect();
         let sbom_dependencies = dependencies.iter().map(|dep| (*dep).into()).collect_vec();
 
-        result.push(SbomPackage::new(package, sbom_dependencies, build_type));
+        result.push(SbomPackage::new(
+            package,
+            sbom_dependencies,
+            build_type,
+            root_profile,
+        ));
 
         visited.insert(package);
 
diff --git a/tests/testsuite/sbom.rs b/tests/testsuite/sbom.rs
index fb967efc098..9e9d1744c0f 100644
--- a/tests/testsuite/sbom.rs
+++ b/tests/testsuite/sbom.rs
@@ -117,7 +117,8 @@ fn build_sbom_using_cargo_config() {
                 "wrapper": null,
                 "workspace_wrapper": null,
                 "commit_hash": "[..]",
-                "host": "[..]"
+                "host": "[..]",
+                "verbose_version": "{...}"
             }
         }
         "#,
@@ -252,6 +253,23 @@ fn build_sbom_with_simple_build_script() {
                     "features": [],
                     "package": "foo",
                     "package_id": "path+file://[..]/foo#0.0.1",
+                    "profile": {
+                        "codegen_backend": null,
+                        "codegen_units": null,
+                        "debug_assertions": false,
+                        "debuginfo": 2,
+                        "incremental": false,
+                        "lto": "false",
+                        "name": "dev",
+                        "opt_level": "0",
+                        "overflow_checks": false,
+                        "panic": "unwind",
+                        "rpath": false,
+                        "split_debuginfo": null,
+                        "strip": {
+                            "deferred": "None"
+                        }
+                    },
                     "version": "0.0.1"
                 },
                 {
@@ -261,7 +279,24 @@ fn build_sbom_with_simple_build_script() {
                     "features": [],
                     "build_type": "normal",
                     "extern_crate_name": "build_script_build",
-                    "dependencies": []
+                    "dependencies": [],
+                    "profile": {
+                        "codegen_backend": null,
+                        "codegen_units": null,
+                        "debug_assertions": true,
+                        "debuginfo": 0,
+                        "incremental": false,
+                        "lto": "false",
+                        "name": "dev",
+                        "opt_level": "0",
+                        "overflow_checks": true,
+                        "panic": "unwind",
+                        "rpath": false,
+                        "split_debuginfo": "{...}",
+                        "strip": {
+                            "deferred": "None"
+                        }
+                    }
                 }
             ],
             "features": [],
@@ -270,7 +305,8 @@ fn build_sbom_with_simple_build_script() {
                 "wrapper": null,
                 "workspace_wrapper": null,
                 "commit_hash": "[..]",
-                "host": "[..]"
+                "host": "[..]",
+                "verbose_version": "{...}"
             }
         }"#,
     );
@@ -391,7 +427,24 @@ fn build_sbom_with_build_dependencies() {
                             "version": "0.1.0",
                             "features": []
                         }
-                    ]
+                    ],
+                    "profile": {
+                        "codegen_backend": null,
+                        "codegen_units": null,
+                        "debug_assertions": false,
+                        "debuginfo": 2,
+                        "incremental": false,
+                        "lto": "false",
+                        "name": "dev",
+                        "opt_level": "0",
+                        "overflow_checks": false,
+                        "panic": "unwind",
+                        "rpath": false,
+                        "split_debuginfo": "{...}",
+                        "strip": {
+                            "deferred": "None"
+                        }
+                    }
                 },
                 {
                     "package_id": "registry+[..]#bar@0.1.0",
@@ -407,7 +460,24 @@ fn build_sbom_with_build_dependencies() {
                             "version": "0.1.0",
                             "features": []
                         }
-                    ]
+                    ],
+                    "profile": {
+                        "codegen_backend": null,
+                        "codegen_units": null,
+                        "debug_assertions": true,
+                        "debuginfo": 0,
+                        "incremental": false,
+                        "lto": "false",
+                        "name": "dev",
+                        "opt_level": "0",
+                        "overflow_checks": true,
+                        "panic": "unwind",
+                        "rpath": false,
+                        "split_debuginfo": "{...}",
+                        "strip": {
+                            "deferred": "None"
+                        }
+                    }
                 },
                 {
                     "package_id": "registry+[..]#baz@0.1.0",
@@ -416,7 +486,24 @@ fn build_sbom_with_build_dependencies() {
                     "features": [],
                     "build_type": "normal",
                     "extern_crate_name": "baz",
-                    "dependencies": []
+                    "dependencies": [],
+                    "profile": {
+                        "codegen_backend": null,
+                        "codegen_units": null,
+                        "debug_assertions": true,
+                        "debuginfo": 0,
+                        "incremental": false,
+                        "lto": "false",
+                        "name": "dev",
+                        "opt_level": "0",
+                        "overflow_checks": true,
+                        "panic": "unwind",
+                        "rpath": false,
+                        "split_debuginfo": "{...}",
+                        "strip": {
+                            "deferred": "None"
+                        }
+                    }
                 }
             ],
             "features": [],
@@ -425,7 +512,8 @@ fn build_sbom_with_build_dependencies() {
                 "wrapper": null,
                 "workspace_wrapper": null,
                 "commit_hash": "[..]",
-                "host": "[..]"
+                "host": "[..]",
+                "verbose_version": "{...}"
             }
         }"#,
     );

From 3038e32b56cf368d6c5dfcfae7e08e57a97ee520 Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Tue, 28 May 2024 11:46:56 +0200
Subject: [PATCH 17/22] Add test to check multiple crate types

---
 crates/cargo-test-support/src/lib.rs | 10 ++++
 tests/testsuite/sbom.rs              | 85 ++++++++++++++++++++++++++++
 2 files changed, 95 insertions(+)

diff --git a/crates/cargo-test-support/src/lib.rs b/crates/cargo-test-support/src/lib.rs
index ac4e342da44..f13f5d5834c 100644
--- a/crates/cargo-test-support/src/lib.rs
+++ b/crates/cargo-test-support/src/lib.rs
@@ -418,6 +418,16 @@ impl Project {
             .join(paths::get_lib_filename(name, kind))
     }
 
+    /// Path to a dynamic library.
+    /// ex: `/path/to/cargo/target/cit/t0/foo/target/debug/examples/libex.dylib`
+    pub fn dylib(&self, name: &str) -> PathBuf {
+        self.target_debug_dir().join(format!(
+            "{}{name}{}",
+            env::consts::DLL_PREFIX,
+            env::consts::DLL_SUFFIX
+        ))
+    }
+
     /// Path to a debug binary.
     ///
     /// ex: `$CARGO_TARGET_TMPDIR/cit/t0/foo/target/debug/foo`
diff --git a/tests/testsuite/sbom.rs b/tests/testsuite/sbom.rs
index 9e9d1744c0f..ec15f79f48b 100644
--- a/tests/testsuite/sbom.rs
+++ b/tests/testsuite/sbom.rs
@@ -172,6 +172,91 @@ fn build_sbom_project_bin_and_lib() {
     );
 }
 
+#[cargo_test]
+fn build_sbom_with_multiple_crate_types() {
+    let p = configured_project()
+        .file(
+            "Cargo.toml",
+            r#"
+                [package]
+                name = "foo"
+                version = "1.2.3"
+                authors = []
+
+                [lib]
+                crate-type = ["dylib", "rlib"]
+            "#,
+        )
+        .file("src/main.rs", r#"fn main() { let _i = foo::give_five(); }"#)
+        .file("src/lib.rs", r#"pub fn give_five() -> i32 { 5 }"#)
+        .build();
+
+    p.cargo("build -Zsbom")
+        .masquerade_as_nightly_cargo(&["sbom"])
+        .run();
+
+    assert_eq!(
+        3,
+        p.glob(p.target_debug_dir().join("*.cargo-sbom.json"))
+            .count()
+    );
+
+    let sbom_path = with_sbom_suffix(&p.dylib("foo"));
+    assert!(sbom_path.is_file());
+
+    assert_json_output(
+        sbom_path,
+        r#"
+        {
+            "format_version": 1,
+            "package_id": "path+file://[..]/foo#1.2.3",
+            "name": "foo",
+            "version": "1.2.3",
+            "source": "[ROOT]/foo",
+            "target": {
+               "kind": [
+                    "dylib",
+                    "rlib"
+                ],
+                "crate_types": [
+                    "dylib",
+                    "rlib"
+                ],
+                "name": "foo",
+                "edition": "2015"
+            },
+            "profile": {
+                "name": "dev",
+                "opt_level": "0",
+                "lto": "false",
+                "codegen_backend": null,
+                "codegen_units": null,
+                "debuginfo": 2,
+                "split_debuginfo": "{...}",
+                "debug_assertions": true,
+                "overflow_checks": true,
+                "rpath": false,
+                "incremental": false,
+                "panic": "unwind",
+                "strip": {
+                    "deferred": "None"
+                }
+            },
+            "packages": [],
+            "features": [],
+            "rustc": {
+                "version": "[..]",
+                "wrapper": null,
+                "workspace_wrapper": null,
+                "commit_hash": "[..]",
+                "host": "[..]",
+                "verbose_version": "{...}"
+            }
+        }
+        "#,
+    )
+}
+
 #[cargo_test]
 fn build_sbom_with_simple_build_script() {
     let p = configured_project()

From 14f49eb733d7e0ae2ca8b3f15ca95cf693acb024 Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Tue, 28 May 2024 12:06:25 +0200
Subject: [PATCH 18/22] Add test to check artifact name conflict

---
 tests/testsuite/sbom.rs | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/tests/testsuite/sbom.rs b/tests/testsuite/sbom.rs
index ec15f79f48b..ae0b62620cd 100644
--- a/tests/testsuite/sbom.rs
+++ b/tests/testsuite/sbom.rs
@@ -172,6 +172,42 @@ fn build_sbom_project_bin_and_lib() {
     );
 }
 
+#[cargo_test]
+fn build_sbom_with_artifact_name_conflict() {
+    Package::new("deps", "0.1.0")
+        .file(
+            "Cargo.toml",
+            r#"
+                [package]
+                name = "deps" # name conflict
+                version = "0.1.0"
+                authors = []
+            "#,
+        )
+        .file("src/lib.rs", "pub fn bar() -> i32 { 2 }")
+        .publish();
+
+    let p = configured_project()
+        .file(
+            "Cargo.toml",
+            r#"
+                [package]
+                name = "foo"
+                version = "0.0.1"
+                authors = []
+
+                [dependencies]
+                deps = "0.1.0"
+            "#,
+        )
+        .file("src/main.rs", "fn main() { let _i = deps::bar(); }")
+        .build();
+
+    p.cargo("build -Zsbom")
+        .masquerade_as_nightly_cargo(&["sbom"])
+        .run();
+}
+
 #[cargo_test]
 fn build_sbom_with_multiple_crate_types() {
     let p = configured_project()

From 838f03434882194b2c53bb380354d738277d41db Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Thu, 11 Jul 2024 11:44:39 +0200
Subject: [PATCH 19/22] Use SbomProfile to wrap Profile type

This adds the `SbomProfile` to convert the existing `Profile` into, to
expose relevant fields. For now it removes the `strip` field, while
serializing all other fields. It should keep the output consistent, even
when fields in the `Profile` change, e.g. new field added.
---
 src/cargo/core/compiler/output_sbom.rs | 61 ++++++++++++++++++++++----
 tests/testsuite/sbom.rs                | 45 ++++---------------
 2 files changed, 62 insertions(+), 44 deletions(-)

diff --git a/src/cargo/core/compiler/output_sbom.rs b/src/cargo/core/compiler/output_sbom.rs
index 1afc16e8d72..2db83540b75 100644
--- a/src/cargo/core/compiler/output_sbom.rs
+++ b/src/cargo/core/compiler/output_sbom.rs
@@ -11,7 +11,7 @@ use itertools::Itertools;
 use semver::Version;
 use serde::Serialize;
 
-use crate::core::profiles::Profile;
+use crate::core::profiles::{DebugInfo, Lto, Profile};
 use crate::core::{Target, TargetKind};
 use crate::util::Rustc;
 use crate::CargoResult;
@@ -69,14 +69,59 @@ impl From<&UnitDep> for SbomDependency {
     }
 }
 
+/// A profile can be overriden for individual packages.
+///
+/// This wraps a [`Profile`] object.
+/// See <https://doc.rust-lang.org/nightly/cargo/reference/profiles.html#overrides>
+#[derive(Serialize, Clone, Debug)]
+struct SbomProfile {
+    name: String,
+    opt_level: String,
+    lto: Lto,
+    codegen_backend: Option<String>,
+    codegen_units: Option<u32>,
+    debuginfo: DebugInfo,
+    split_debuginfo: Option<String>,
+    debug_assertions: bool,
+    overflow_checks: bool,
+    rpath: bool,
+    incremental: bool,
+    panic: String,
+    #[serde(skip_serializing_if = "Vec::is_empty")] // remove when `rustflags` is stablized
+    rustflags: Vec<String>,
+}
+
+impl From<&Profile> for SbomProfile {
+    fn from(profile: &Profile) -> Self {
+        let rustflags = profile
+            .rustflags
+            .iter()
+            .map(|x| x.to_string())
+            .collect_vec();
+
+        Self {
+            name: profile.name.to_string(),
+            opt_level: profile.opt_level.to_string(),
+            lto: profile.lto,
+            codegen_backend: profile.codegen_backend.map(|x| x.to_string()),
+            codegen_units: profile.codegen_units.clone(),
+            debuginfo: profile.debuginfo.clone(),
+            split_debuginfo: profile.split_debuginfo.map(|x| x.to_string()),
+            debug_assertions: profile.debug_assertions,
+            overflow_checks: profile.overflow_checks,
+            rpath: profile.rpath,
+            incremental: profile.incremental,
+            panic: profile.panic.to_string(),
+            rustflags,
+        }
+    }
+}
+
 #[derive(Serialize, Clone, Debug)]
 struct SbomPackage {
     package_id: PackageIdSpec,
     package: String,
-    /// A profile can be overriden for individual packages
-    ///
-    /// See <https://doc.rust-lang.org/nightly/cargo/reference/profiles.html#overrides>
-    profile: Option<Profile>,
+    profile: Option<SbomProfile>,
     version: Option<Version>,
     features: Vec<String>,
     build_type: SbomBuildType,
@@ -94,7 +139,7 @@ impl SbomPackage {
         let package_id = dep.unit.pkg.package_id().to_spec();
         let package = package_id.name().to_string();
         let profile = if &dep.unit.profile != root_profile {
-            Some(dep.unit.profile.clone())
+            Some((&dep.unit.profile).into())
         } else {
             None
         };
@@ -169,7 +214,7 @@ struct Sbom {
     version: String,
     source: String,
     target: SbomTarget,
-    profile: Profile,
+    profile: SbomProfile,
     packages: Vec<SbomPackage>,
     features: Vec<String>,
     rustc: SbomRustc,
@@ -182,7 +227,7 @@ impl Sbom {
         let version = unit.pkg.version().to_string();
         let source = unit.pkg.package_id().source_id().to_string();
         let target = (&unit.target).into();
-        let profile = unit.profile.clone();
+        let profile = (&unit.profile).into();
         let features = unit.features.iter().map(|f| f.to_string()).collect();
 
         Self {
diff --git a/tests/testsuite/sbom.rs b/tests/testsuite/sbom.rs
index ae0b62620cd..06a6e7b9251 100644
--- a/tests/testsuite/sbom.rs
+++ b/tests/testsuite/sbom.rs
@@ -105,10 +105,7 @@ fn build_sbom_using_cargo_config() {
                 "overflow_checks": true,
                 "rpath": false,
                 "incremental": false,
-                "panic": "unwind",
-                "strip": {
-                    "deferred": "None"
-                }
+                "panic": "unwind"
             },
             "packages": [],
             "features": [],
@@ -273,10 +270,7 @@ fn build_sbom_with_multiple_crate_types() {
                 "overflow_checks": true,
                 "rpath": false,
                 "incremental": false,
-                "panic": "unwind",
-                "strip": {
-                    "deferred": "None"
-                }
+                "panic": "unwind"
             },
             "packages": [],
             "features": [],
@@ -354,10 +348,7 @@ fn build_sbom_with_simple_build_script() {
                 "overflow_checks": true,
                 "rpath": false,
                 "incremental": false,
-                "panic": "unwind",
-                "strip": {
-                    "deferred": "None"
-                }
+                "panic": "unwind"
             },
             "packages": [
                 {
@@ -386,10 +377,7 @@ fn build_sbom_with_simple_build_script() {
                         "overflow_checks": false,
                         "panic": "unwind",
                         "rpath": false,
-                        "split_debuginfo": null,
-                        "strip": {
-                            "deferred": "None"
-                        }
+                        "split_debuginfo": null
                     },
                     "version": "0.0.1"
                 },
@@ -413,10 +401,7 @@ fn build_sbom_with_simple_build_script() {
                         "overflow_checks": true,
                         "panic": "unwind",
                         "rpath": false,
-                        "split_debuginfo": "{...}",
-                        "strip": {
-                            "deferred": "None"
-                        }
+                        "split_debuginfo": "{...}"
                     }
                 }
             ],
@@ -512,10 +497,7 @@ fn build_sbom_with_build_dependencies() {
                 "overflow_checks": true,
                 "rpath": false,
                 "incremental": false,
-                "panic": "unwind",
-                "strip": {
-                    "deferred": "None"
-                }
+                "panic": "unwind"
             },
             "packages": [
                 {
@@ -561,10 +543,7 @@ fn build_sbom_with_build_dependencies() {
                         "overflow_checks": false,
                         "panic": "unwind",
                         "rpath": false,
-                        "split_debuginfo": "{...}",
-                        "strip": {
-                            "deferred": "None"
-                        }
+                        "split_debuginfo": "{...}"
                     }
                 },
                 {
@@ -594,10 +573,7 @@ fn build_sbom_with_build_dependencies() {
                         "overflow_checks": true,
                         "panic": "unwind",
                         "rpath": false,
-                        "split_debuginfo": "{...}",
-                        "strip": {
-                            "deferred": "None"
-                        }
+                        "split_debuginfo": "{...}"
                     }
                 },
                 {
@@ -620,10 +596,7 @@ fn build_sbom_with_build_dependencies() {
                         "overflow_checks": true,
                         "panic": "unwind",
                         "rpath": false,
-                        "split_debuginfo": "{...}",
-                        "strip": {
-                            "deferred": "None"
-                        }
+                        "split_debuginfo": "{...}"
                     }
                 }
             ],

From 0ecb83a29d09b05353a8dca785c989d57a4ee5fd Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Thu, 11 Jul 2024 11:51:58 +0200
Subject: [PATCH 20/22] Document package profile

* only export `profile` field in case it differs from root profile
---
 src/cargo/core/compiler/output_sbom.rs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/cargo/core/compiler/output_sbom.rs b/src/cargo/core/compiler/output_sbom.rs
index 2db83540b75..1a04684356b 100644
--- a/src/cargo/core/compiler/output_sbom.rs
+++ b/src/cargo/core/compiler/output_sbom.rs
@@ -117,10 +117,13 @@ impl From<&Profile> for SbomProfile {
     }
 }
 
+/// Describes a package dependency
 #[derive(Serialize, Clone, Debug)]
 struct SbomPackage {
     package_id: PackageIdSpec,
     package: String,
+    /// Package profile is given when it differs from the root level [`Profile`].
+    #[serde(skip_serializing_if = "Option::is_none")]
     profile: Option<SbomProfile>,
     version: Option<Version>,
     features: Vec<String>,

From 8f7216e4b7ffc0e57ba5a9df538421c168eb464c Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Thu, 11 Jul 2024 12:57:08 +0200
Subject: [PATCH 21/22] Add test to check different features

The added test uses a crate with multiple features. The main crate uses
the dependency in the normal build & the custom build script with
different features.
---
 tests/testsuite/sbom.rs | 209 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 209 insertions(+)

diff --git a/tests/testsuite/sbom.rs b/tests/testsuite/sbom.rs
index 06a6e7b9251..30c50f17b12 100644
--- a/tests/testsuite/sbom.rs
+++ b/tests/testsuite/sbom.rs
@@ -612,3 +612,212 @@ fn build_sbom_with_build_dependencies() {
         }"#,
     );
 }
+
+#[cargo_test]
+fn build_sbom_crate_uses_different_features_for_build_and_normal_dependencies() {
+    let p = configured_project()
+        .file(
+            "Cargo.toml",
+            r#"
+                [package]
+                name = "a"
+                version = "0.1.0"
+                edition = "2021"
+                authors = []
+
+                [dependencies]
+                b = { path = "b/", features = ["f1"] }
+
+                [build-dependencies]
+                b = { path = "b/", features = ["f2"] }
+            "#,
+        )
+        .file(
+            "src/main.rs",
+            r#"
+                fn main() { b::f1(); }
+            "#,
+        )
+        .file(
+            "build.rs",
+            r#"
+                fn main() { b::f2(); }
+            "#,
+        )
+        .file(
+            "b/Cargo.toml",
+            r#"
+                [package]
+                name = "b"
+                version = "0.0.1"
+                edition = "2021"
+
+                [features]
+                f1 = []
+                f2 = []
+            "#,
+        )
+        .file(
+            "b/src/lib.rs",
+            r#"
+                #[cfg(feature = "f1")]
+                pub fn f1() {}
+
+                #[cfg(feature = "f2")]
+                pub fn f2() {}
+            "#,
+        )
+        .build();
+
+    p.cargo("build -Zsbom")
+        .masquerade_as_nightly_cargo(&["sbom"])
+        .run();
+
+    let path = with_sbom_suffix(&p.bin("a"));
+    assert!(path.is_file());
+
+    assert_json_output(
+        path,
+        r#"
+        {
+            "features": [],
+            "format_version": 1,
+            "package_id": "path+file:///[..]#a@0.1.0",
+            "name": "a",
+            "version": "0.1.0",
+            "source": "[ROOT]/foo",
+            "target": {
+                "crate_types": [
+                    "bin"
+                ],
+                "edition": "2021",
+                "kind": [
+                    "bin"
+                ],
+                "name": "a"
+            },
+            "packages": [
+                {
+                    "build_type": "build",
+                    "dependencies": [
+                        {
+                            "features": [],
+                            "name": "a",
+                            "package_id": "path+file:///[..]#a@0.1.0",
+                            "version": "0.1.0"
+                        }
+                    ],
+                    "extern_crate_name": "build_script_build",
+                    "features": [],
+                    "package": "a",
+                    "package_id": "path+file:///[..]#a@0.1.0",
+                    "profile": {
+                        "codegen_backend": null,
+                        "codegen_units": null,
+                        "debug_assertions": false,
+                        "debuginfo": 2,
+                        "incremental": false,
+                        "lto": "false",
+                        "name": "dev",
+                        "opt_level": "0",
+                        "overflow_checks": false,
+                        "panic": "unwind",
+                        "rpath": false,
+                        "split_debuginfo": null
+                    },
+                    "version": "0.1.0"
+                },
+                {
+                    "build_type": "normal",
+                    "dependencies": [
+                        {
+                            "features": [
+                                "f2"
+                            ],
+                            "name": "b",
+                            "package_id": "path+file:///[..]b#0.0.1",
+                            "version": "0.0.1"
+                        }
+                    ],
+                    "extern_crate_name": "build_script_build",
+                    "features": [],
+                    "package": "a",
+                    "package_id": "path+file:///[..]#a@0.1.0",
+                    "profile": {
+                        "codegen_backend": null,
+                        "codegen_units": null,
+                        "debug_assertions": true,
+                        "debuginfo": 0,
+                        "incremental": false,
+                        "lto": "false",
+                        "name": "dev",
+                        "opt_level": "0",
+                        "overflow_checks": true,
+                        "panic": "unwind",
+                        "rpath": false,
+                        "split_debuginfo": "{...}"
+                    },
+                    "version": "0.1.0"
+                },
+                {
+                    "build_type": "normal",
+                    "dependencies": [],
+                    "extern_crate_name": "b",
+                    "features": [
+                        "f2"
+                    ],
+                    "package": "b",
+                    "package_id": "path+file:///[..]b#0.0.1",
+                    "profile": {
+                        "codegen_backend": null,
+                        "codegen_units": null,
+                        "debug_assertions": true,
+                        "debuginfo": 0,
+                        "incremental": false,
+                        "lto": "false",
+                        "name": "dev",
+                        "opt_level": "0",
+                        "overflow_checks": true,
+                        "panic": "unwind",
+                        "rpath": false,
+                        "split_debuginfo": "{...}"
+                    },
+                    "version": "0.0.1"
+                },
+                {
+                    "build_type": "normal",
+                    "dependencies": [],
+                    "extern_crate_name": "b",
+                    "features": [
+                        "f1"
+                    ],
+                    "package": "b",
+                    "package_id": "path+file:///[..]b#0.0.1",
+                    "version": "0.0.1"
+                }
+            ],
+            "profile": {
+                "codegen_backend": null,
+                "codegen_units": null,
+                "debug_assertions": true,
+                "debuginfo": 2,
+                "incremental": false,
+                "lto": "false",
+                "name": "dev",
+                "opt_level": "0",
+                "overflow_checks": true,
+                "panic": "unwind",
+                "rpath": false,
+                "split_debuginfo": "{...}"
+            },
+            "rustc": {
+              "commit_hash": "[..]",
+              "host": "[..]",
+              "verbose_version": "{...}",
+              "version": "[..]",
+              "workspace_wrapper": null,
+              "wrapper": null
+            }
+        }"#,
+    );
+}

From bc9529955a05d05f0317130247bdb728894c5c75 Mon Sep 17 00:00:00 2001
From: Sebastian Ziebell <sebastian.ziebell@ferrous-systems.com>
Date: Mon, 5 Aug 2024 15:13:19 +0200
Subject: [PATCH 22/22] Refactor storing of package dependencies

All dependencies for a package are indices into the `packages` list now.
This sets the correct association between a dependency & its associated
package.

* remove `SbomDependency` struct
---
 src/cargo/core/compiler/output_sbom.rs | 113 +++++++++++--------------
 tests/testsuite/sbom.rs                |  58 ++-----------
 2 files changed, 56 insertions(+), 115 deletions(-)

diff --git a/src/cargo/core/compiler/output_sbom.rs b/src/cargo/core/compiler/output_sbom.rs
index 1a04684356b..d927076f2ef 100644
--- a/src/cargo/core/compiler/output_sbom.rs
+++ b/src/cargo/core/compiler/output_sbom.rs
@@ -39,36 +39,6 @@ impl<const V: u32> Serialize for SbomFormatVersion<V> {
     }
 }
 
-/// A package dependency
-#[derive(Serialize, Clone, Debug)]
-struct SbomDependency {
-    name: String,
-    package_id: PackageIdSpec,
-    version: Option<Version>,
-    features: Vec<String>,
-}
-
-impl From<&UnitDep> for SbomDependency {
-    fn from(dep: &UnitDep) -> Self {
-        let package_id = dep.unit.pkg.package_id().to_spec();
-        let name = package_id.name().to_string();
-        let version = package_id.version();
-        let features = dep
-            .unit
-            .features
-            .iter()
-            .map(|f| f.to_string())
-            .collect_vec();
-
-        Self {
-            name,
-            package_id,
-            version,
-            features,
-        }
-    }
-}
-
 /// A profile can be overriden for individual packages.
 ///
 /// This wraps a [`Profile`] object.
@@ -129,25 +99,27 @@ struct SbomPackage {
     features: Vec<String>,
     build_type: SbomBuildType,
     extern_crate_name: String,
-    dependencies: Vec<SbomDependency>,
+    /// Indices into the `packages` array
+    dependencies: Vec<usize>,
 }
 
 impl SbomPackage {
-    pub fn new(
-        dep: &UnitDep,
-        dependencies: Vec<SbomDependency>,
-        build_type: SbomBuildType,
-        root_profile: &Profile,
-    ) -> Self {
-        let package_id = dep.unit.pkg.package_id().to_spec();
+    pub fn new(unit_dep: &UnitDep, root_profile: &Profile) -> Self {
+        let package_id = unit_dep.unit.pkg.package_id().to_spec();
         let package = package_id.name().to_string();
-        let profile = if &dep.unit.profile != root_profile {
-            Some((&dep.unit.profile).into())
+        let profile = if &unit_dep.unit.profile != root_profile {
+            Some((&unit_dep.unit.profile).into())
         } else {
             None
         };
+        let build_type = if unit_dep.unit.mode.is_run_custom_build() {
+            SbomBuildType::Build
+        } else {
+            SbomBuildType::Normal
+        };
+
         let version = package_id.version();
-        let features = dep
+        let features = unit_dep
             .unit
             .features
             .iter()
@@ -161,8 +133,8 @@ impl SbomPackage {
             version,
             features,
             build_type,
-            extern_crate_name: dep.extern_crate_name.to_string(),
-            dependencies,
+            extern_crate_name: unit_dep.extern_crate_name.to_string(),
+            dependencies: Vec::new(),
         }
     }
 }
@@ -267,41 +239,54 @@ pub fn output_sbom(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> Cargo
 }
 
 /// Fetch all dependencies, including transitive ones. A dependency can also appear multiple times
-/// if it's included with different versions.
+/// if it's using different settings, e.g. profile, features or crate versions.
+///
+/// A package's `dependencies` is a list of indices into the `packages` array.
 fn collect_packages(build_runner: &mut BuildRunner<'_, '_>, unit: &Unit) -> Vec<SbomPackage> {
     let unit_graph = &build_runner.bcx.unit_graph;
     let root_deps = build_runner.unit_deps(unit);
     let root_profile = &unit.profile;
 
-    let mut result = Vec::new();
+    let mut packages = Vec::new();
     let mut queue: BTreeSet<&UnitDep> = root_deps.iter().collect();
-    let mut visited = BTreeSet::new();
+    let mut visited_dependencies = BTreeSet::new();
 
-    while let Some(package) = queue.pop_first() {
-        if visited.contains(package) {
+    // each package should appear only once in the `packages` block
+    while let Some(dependency) = queue.pop_first() {
+        if visited_dependencies.contains(dependency) {
             continue;
         }
 
-        let build_type = if package.unit.mode.is_run_custom_build() {
-            SbomBuildType::Build
-        } else {
-            SbomBuildType::Normal
-        };
+        let mut dependencies: BTreeSet<&UnitDep> = unit_graph[&dependency.unit].iter().collect();
 
-        let mut dependencies: BTreeSet<&UnitDep> = unit_graph[&package.unit].iter().collect();
-        let sbom_dependencies = dependencies.iter().map(|dep| (*dep).into()).collect_vec();
+        // each seen package is returned
+        packages.push(SbomPackage::new(dependency, root_profile));
 
-        result.push(SbomPackage::new(
-            package,
-            sbom_dependencies,
-            build_type,
-            root_profile,
-        ));
+        // append dependencies to back of queue
+        queue.append(&mut dependencies);
+        visited_dependencies.insert(dependency);
+    }
 
-        visited.insert(package);
+    // Collect all indices for each package's dependencies
+    //
+    // At this point `visited_packages` contains the [`UnitDep`] the `packages` Vec is generated with.
+    // They have the same number of objects in the same order, therefore using an index is fine.
+    for (index, package) in visited_dependencies.iter().enumerate() {
+        let dependencies: BTreeSet<&UnitDep> = unit_graph[&package.unit].iter().collect();
 
-        queue.append(&mut dependencies);
+        let mut indices = dependencies
+            .iter()
+            .filter_map(|dep| {
+                visited_dependencies
+                    .iter()
+                    .position(|unit_dep| dep == unit_dep)
+            })
+            .collect::<Vec<_>>();
+
+        if let Some(package) = packages.get_mut(index) {
+            package.dependencies.append(&mut indices);
+        }
     }
 
-    result
+    packages
 }
diff --git a/tests/testsuite/sbom.rs b/tests/testsuite/sbom.rs
index 30c50f17b12..4da44c2d49d 100644
--- a/tests/testsuite/sbom.rs
+++ b/tests/testsuite/sbom.rs
@@ -353,14 +353,7 @@ fn build_sbom_with_simple_build_script() {
             "packages": [
                 {
                     "build_type": "build",
-                    "dependencies": [
-                        {
-                            "features": [],
-                            "name": "foo",
-                            "package_id": "path+file://[..]/foo#0.0.1",
-                            "version": "0.0.1"
-                        }
-                    ],
+                    "dependencies": [],
                     "extern_crate_name": "build_script_build",
                     "features": [],
                     "package": "foo",
@@ -388,7 +381,7 @@ fn build_sbom_with_simple_build_script() {
                     "features": [],
                     "build_type": "normal",
                     "extern_crate_name": "build_script_build",
-                    "dependencies": [],
+                    "dependencies": [0],
                     "profile": {
                         "codegen_backend": null,
                         "codegen_units": null,
@@ -507,14 +500,7 @@ fn build_sbom_with_build_dependencies() {
                     "features": [],
                     "build_type": "normal",
                     "extern_crate_name": "bar",
-                    "dependencies": [
-                        {
-                            "name": "bar",
-                            "package_id": "registry+[..]#bar@0.1.0",
-                            "version": "0.1.0",
-                            "features": []
-                        }
-                    ]
+                    "dependencies": [2]
                 },
                 {
                     "package_id": "registry+[..]#bar@0.1.0",
@@ -523,14 +509,7 @@ fn build_sbom_with_build_dependencies() {
                     "features": [],
                     "build_type": "build",
                     "extern_crate_name": "build_script_build",
-                    "dependencies": [
-                        {
-                            "name": "bar",
-                            "package_id": "registry+[..]#bar@0.1.0",
-                            "version": "0.1.0",
-                            "features": []
-                        }
-                    ],
+                    "dependencies": [3],
                     "profile": {
                         "codegen_backend": null,
                         "codegen_units": null,
@@ -553,14 +532,7 @@ fn build_sbom_with_build_dependencies() {
                     "features": [],
                     "build_type": "normal",
                     "extern_crate_name": "build_script_build",
-                    "dependencies": [
-                        {
-                            "name": "baz",
-                            "package_id": "registry+[..]#baz@0.1.0",
-                            "version": "0.1.0",
-                            "features": []
-                        }
-                    ],
+                    "dependencies": [1],
                     "profile": {
                         "codegen_backend": null,
                         "codegen_units": null,
@@ -699,14 +671,7 @@ fn build_sbom_crate_uses_different_features_for_build_and_normal_dependencies()
             "packages": [
                 {
                     "build_type": "build",
-                    "dependencies": [
-                        {
-                            "features": [],
-                            "name": "a",
-                            "package_id": "path+file:///[..]#a@0.1.0",
-                            "version": "0.1.0"
-                        }
-                    ],
+                    "dependencies": [2],
                     "extern_crate_name": "build_script_build",
                     "features": [],
                     "package": "a",
@@ -729,16 +694,7 @@ fn build_sbom_crate_uses_different_features_for_build_and_normal_dependencies()
                 },
                 {
                     "build_type": "normal",
-                    "dependencies": [
-                        {
-                            "features": [
-                                "f2"
-                            ],
-                            "name": "b",
-                            "package_id": "path+file:///[..]b#0.0.1",
-                            "version": "0.0.1"
-                        }
-                    ],
+                    "dependencies": [0],
                     "extern_crate_name": "build_script_build",
                     "features": [],
                     "package": "a",