Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Convert to cargo metadata as a backend #496

Merged
merged 26 commits into from
Oct 26, 2023
Merged

Convert to cargo metadata as a backend #496

merged 26 commits into from
Oct 26, 2023

Conversation

Shnatsel
Copy link
Contributor

@Shnatsel Shnatsel commented Oct 26, 2023
edited
Loading

This PR switches to the API-stable cargo metadata as opposed to the previous direct dependency on unstable internal APIs of Cargo.

It is mostly bug-compatible, with the actual fixes to come in subsequent PRs.

Benefits

  • Far smaller binary size
  • Shorter compile times
  • Reliance only on stable APIs will require far less maintenance going forward
  • Download crates in parallel #489 (we got it for free by switching to cargo metadata)

Fixes

One of the tests was creating an invalid dependency that was getting ignored by Cargo, but still included in the SBOM. This is now fixed, and I've updated the test to create a proper dependency.

Behavior changes

The previous code was inconsistent on what kinds of dependencies it includes. It previously included normal only (not build!) in top-level only mode, and all kinds (even dev!) in all deps mode. Now all kinds of dependencies are included always - it's still wrong, but at least it's consistent. Proper filtering by mode and package is implemented in a subsequent PR: #498

Regressions

Reading configuration from Cargo.toml is not fully wired up, although its tests pass. I've skipped it for now and left a comment because this behavior seems to be a bad idea in the first place: #495

@Shnatsel Shnatsel requested a review from a team as a code owner October 26, 2023 06:16
@Shnatsel
Add cargo-metadata as a dependency
11fc031 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Drop logging configuration for Cargo internals
6a85dba 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Drop #[deny] directives for warnings and lints. These should not be u…
79a5c52 
…sed in production - they will cause the build to fail on a newer compiler if new warnings or lints are added. The right way to do this is configure CI.

Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Implement querying cargo metadata
1c29f67 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Drop some more #[deny] directives that would break production builds
85225dc 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
WIP conversion of create_sboms() to cargo-metadata
a358ce4 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
convert create_sboms() and create_bom() to cargo-metadata
f7d240c 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Convert the rest of the generator functions to cargo-metadata
9163729 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Comment out toplevel/all dependency filtering for now
efc37f2 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
BEHOLD, IT COMPILES
b3f9ad4 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Purge the last reference to Cargo internals
dbd3367 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Remove Cargo from the dependency tree
7b52d4a 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Re-enable reading config from Cargo.toml, even though this seems like…
c398423 
… a bad idea

Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Do not assert any specific error message on invalid Cargo.toml in tes…
7342217 
…ts, since we do not control cargo-metadata

Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Add a comment explaining that the configuration does not work correct…
0bdd508 
…ly at present

Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
cargo fmt
e519aef 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Reimplement filtering of top-level dependencies
1b7372e 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Also reimplement all_dependencies() with cargo-metadata
edc3583 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Make top_level_dependencies() consistent with all_dependencies() in o…
e0a4cb5 
…utputting the toplevel package in resolve

Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Re-enable selection of direct deps only or all deps
d61cc75 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Drop unused import
0623190 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Include the root package in the output of top_level_dependencies() an…
ade4077 
…d all_dependencies(), it is required for correctness

Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Fix a test that was creating an invalid dependency without a lib targ…
39b3426 
…et, which was ignored by cargo

Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Suppress the warning about resolve being unused for now
416914d 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@Shnatsel
Omit the toplevel package from the list of components
6a731f5 
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
This was referenced Oct 26, 2023
Merged
Merged
Merged
@Shnatsel Shnatsel mentioned this pull request Oct 26, 2023
Merged
@lfrancke
Copy link
Contributor

Thank you for the PR!

I did take a quick look and have one initial question: We currently run cargo metadata once for everything. As far as I know it can be run against each package individually.
Wouldn't that solve the issues we currently have?
Yes, it'd mean running cargo metadata multiple times so it'd be a bit slower but that's a tradeoff I'd be happy to take.

Disclaimer: I have not looked at your follow-up PRs yet.

@Shnatsel
Copy link
Contributor Author

Even if we ran it for every package separately, we would still have to do the graph traversal to filter out the transitive dev-dependencies. That's implemented in #498. So running cargo metadata per-package doesn't really get us anything.

lfrancke
lfrancke requested changes Oct 26, 2023
View reviewed changes
Copy link
Contributor

@lfrancke lfrancke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor stuff
It's really really hard to not comment on some of the obvious wrong things :)

cargo-cyclonedx/src/generator.rs Show resolved Hide resolved
cargo-cyclonedx/src/generator.rs Outdated Show resolved Hide resolved
cargo-cyclonedx/src/generator.rs Show resolved Hide resolved
@Shnatsel @lfrancke
Fix typo in comment
819b269 
Co-authored-by: Lars Francke <lars.francke@stackable.tech>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
@lfrancke lfrancke merged commit 12a9ba0 into CycloneDX:main Oct 26, 2023
9 checks passed
This was referenced Oct 27, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lfrancke lfrancke lfrancke approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Shnatsel @lfrancke