From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 30 Dec 2025 09:44:09 +0000 (+0100)
Subject: SBOM: Install a pinned version of `cargo-cyclonedx`
X-Git-Tag: rec-5.4.0-beta1~52^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f7983170c3c80e6b9e18800667ca72892b925d0d;p=thirdparty%2Fpdns.git

SBOM: Install a pinned version of `cargo-cyclonedx`

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>
---

diff --git a/builder-support/helpers/cargo_cyclonedx.json b/builder-support/helpers/cargo_cyclonedx.json
new file mode 100644
index 0000000000..3028428789
--- /dev/null
+++ b/builder-support/helpers/cargo_cyclonedx.json
@@ -0,0 +1,7 @@
+{
+  "version": "0.5.7",
+  "license": "Apache-2.0",
+  "publisher": "https://github.com/CycloneDX/cyclonedx-rust-cargo",
+  "SHA256SUM": "3ac7058fba657f8cfd56c6e1cfb47ad024fa76070a6286ecf26a16f0d88e3ce2",
+  "cargo-based": true
+}
diff --git a/builder-support/helpers/install_cargo_cyclonedx.sh b/builder-support/helpers/install_cargo_cyclonedx.sh
index dd9a5f0eb2..1c3430ff3e 100755
--- a/builder-support/helpers/install_cargo_cyclonedx.sh
+++ b/builder-support/helpers/install_cargo_cyclonedx.sh
@@ -1,5 +1,30 @@
 #!/bin/sh
-
+set -v
 set -e
 
-cargo install --root / cargo-cyclonedx
+[ -e /tmp/.pdns_cargocyclonedx_installed ] && exit 0
+
+readonly CARGO_CYCLONEDX_VERSION=$(jq -r .version < cargo_cyclonedx.json)
+readonly CARGO_CYCLONEDX_TARBALL="cargo-cyclonedx-${CARGO_CYCLONEDX_VERSION}.tar.gz"
+readonly CARGO_CYCLONEDX_TARBALL_URL="https://github.com/CycloneDX/cyclonedx-rust-cargo/archive/refs/tags/${CARGO_CYCLONEDX_TARBALL}"
+readonly CARGO_CYCLONEDX_TARBALL_HASH=$(jq -r .SHA256SUM < cargo_cyclonedx.json)
+
+cd /tmp
+echo $0: Downloading ${CARGO_CYCLONEDX_TARBALL}
+curl -L -o "${CARGO_CYCLONEDX_TARBALL}" "${CARGO_CYCLONEDX_TARBALL_URL}"
+echo $0: Checking that the hash of ${CARGO_CYCLONEDX_TARBALL} is ${CARGO_CYCLONEDX_TARBALL_HASH}
+# Line below should echo two spaces between digest and name
+echo "${CARGO_CYCLONEDX_TARBALL_HASH}"  "${CARGO_CYCLONEDX_TARBALL}" | sha256sum -c -
+tar xf "${CARGO_CYCLONEDX_TARBALL}"
+cd "cyclonedx-rust-cargo-cargo-cyclonedx-${CARGO_CYCLONEDX_VERSION}"
+
+# --locked so we use the pinned versions of dependencies
+# --path because the tarball contains a library and a binary
+# --debug because it is (slightly) faster and we don't care about performance
+# --no-track so we do not write a crates.toml file to /
+RUST_BACKTRACE=1 cargo install --locked --path cargo-cyclonedx --debug --no-track --root /
+
+cd ..
+rm -rf "${CARGO_CYCLONEDX_TARBALL}" "cyclonedx-rust-cargo-cargo-cyclonedx-${CARGO_CYCLONEDX_VERSION}"
+
+touch /tmp/.pdns_cargocyclonedx_installed