-
-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Convert to cargo metadata
as a backend
#496
Conversation
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
…sed in production - they will cause the build to fail on a newer compiler if new warnings or lints are added. The right way to do this is configure CI. Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
… a bad idea Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
…ts, since we do not control cargo-metadata Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
…ly at present Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
…utputting the toplevel package in resolve Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
…d all_dependencies(), it is required for correctness Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
…et, which was ignored by cargo Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
cd96562
to
6a731f5
Compare
Thank you for the PR! I did take a quick look and have one initial question: We currently run Disclaimer: I have not looked at your follow-up PRs yet. |
Even if we ran it for every package separately, we would still have to do the graph traversal to filter out the transitive dev-dependencies. That's implemented in #498. So running |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor stuff
It's really really hard to not comment on some of the obvious wrong things :)
Co-authored-by: Lars Francke <lars.francke@stackable.tech> Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
d3dedaf
to
819b269
Compare
This PR switches to the API-stable
cargo metadata
as opposed to the previous direct dependency on unstable internal APIs of Cargo.It is mostly bug-compatible, with the actual fixes to come in subsequent PRs.
Benefits
cargo metadata
)Fixes
One of the tests was creating an invalid dependency that was getting ignored by Cargo, but still included in the SBOM. This is now fixed, and I've updated the test to create a proper dependency.
Behavior changes
The previous code was inconsistent on what kinds of dependencies it includes. It previously included normal only (not build!) in top-level only mode, and all kinds (even dev!) in all deps mode. Now all kinds of dependencies are included always - it's still wrong, but at least it's consistent. Proper filtering by mode and package is implemented in a subsequent PR: #498
Regressions
Reading configuration from
Cargo.toml
is not fully wired up, although its tests pass. I've skipped it for now and left a comment because this behavior seems to be a bad idea in the first place: #495