Rust Application Analysis

The Cargo coordinate-based matching feature provides the ability to scan and evaluate Rust dependencies found in the Cargo.lock file.

Cargo Package Manager

  • Cargo.lock - Cargo is the package manager for Rust.  Cargo downloads Rust dependencies, compiles packages, makes distributable packages, and uploads them to crates.io, the Rust community‚Äôs package registry.
  • Support includes Security and Identity data.
  • The fields name and version of the dependency under each "package" section are evaluated. 

Example Cargo.lock file 

[[package]]
name = "core-nightly"
version = "1.26.2"

[[package]]
name = "grin"
version = "1.0.0"

[[package]]
name = "protobuf"
version = "2.5.0"

Steps to analyze using the Jenkins plugin

By default, the Jenkins plugin will not evaluate the Cargo.lock file. A custom Scan Target is needed.

nexusPolicyEvaluation iqApplication: 'SampApp', iqScanPatterns: [[scanPattern: '**/Cargo.lock']], iqStage: 'build'

To find more information on how to configure Jenkins please go to the Nexus Platform Plugin for Jenkins.

Steps to analyze using the Bamboo plugin

Bamboo Scan Targets control what files are examined.  To evaluate Rust, add Cargo.lock to the scan targets via "**/Cargo.lock".  To find more information on how to configure Bamboo please go to the Nexus IQ for Bamboo.