-
-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Record package hashes in the generated SBOM #620
Conversation
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
…h format and wire up emitting the data to the final SBOM Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
Signed-off-by: Sergey "Shnatsel" Davidoff <shnatsel@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I looked at the code changes and those look good.
I only have 1.76 installed and train wifi won't allow me to download a newer version.
I'm happy to merge as is but if you prefer I can also test it next week.
In my testing it works, so I'm going to go ahead and merge it. There is an edge case: if the registry URL contains parameters, the hash may not be recorded. That's because Cargo.lock does not encode parameters correctly right now (and what |
I filed an issue about that so that it's tracked: #629 |
Requires Rust 1.77 or later because it relies on rust-lang/cargo#12914
Older Rust versions behave as before, i.e. the hashes are not recorded.
Builds on #619 because I didn't want to create editing conflicts with myself. I can rebase it if it doesn't go in.