document sbom requirements

[deitch]

When building binaries with rust, they do not include all of the dependency information used to build them, for example cargo packages. This means that if the final image does not include source, which it usually doesn't, there is no way for an sbom scanner to discover the input dependencies.

For example:

FROM eve-rust AS build
WORKDIR /src
COPY . .
RUN cargo build --release

FROM scratch
COPY --from=build /src/target/release/binary /

In an image generated from the above Dockerfile, an sbom scanner will see solely the final binary, scan it, and get nothing.

eve-rust already has the tools to handle this by installing cargo-sbom plugin. Hence, one can do:

FROM eve-rust AS build
WORKDIR /src
COPY . .
RUN cargo build --release
RUN cargo sbom > target/release/sbom.spdx.json   # <--- NEW LINE

FROM scratch
COPY --from=build /src/target/release/binary /
COPY --from=build /src/target/release/sbom.spdx.json /      # <--- NEW LINE

Ideally, this would be automated. The upstreaming of cargo sbom into cargo itself is in process, see this RFC.

While we could create all sorts of convoluted scripts to automate this process here, it would violate the principle of least surprise. Someone would type cargo build and get unexpected artifacts, as well as possibly forgetting to copy the json over to final image.

Until the above rust-lang RFC is complete, we will rely on human process.

This PR updates the documentation on eve-rust to be much more explicit about the need for SBoM, and includes a link to the RFC process.