Merge pull request #160 from rust-secure-code/drop-toml-conversion

Remove dependency on cargo-lock

README.md

@@ -50,12 +50,12 @@ If you're using a shell other than bash, or if using an alias is not an option,
 When used on images or directories, Rust audit support must be enabled by adding the `--catalogers all` CLI option, e.g `syft --catalogers all <container image containing Rust auditable binary>`.
 * [rust-audit-info](https://crates.io/crates/rust-audit-info) recovers the dependency list from a binary and prints it in JSON.
 
-It is also interoperable with existing tooling that consumes Cargo.lock via the [JSON-to-TOML convertor](auditable-serde/examples/json-to-toml.rs). However, we recommend supporting the format natively; the format is designed to be [very easy to parse](PARSING.md), even if your language does not have a library for that yet.
-
 ### Can I read this data using a tool written in a different language?
 
 Yes. The data format is designed for interoperability with alternative implementations. In fact, parsing it only takes [5 lines of Python](PARSING.md). See [here](PARSING.md) for documentation on parsing the data.
 
+Besides that, Syft can read it and convert it to a multitude of formats. `auditable2cdx` can convert it to CycloneDX, which is understood by most tools. This conversion lets you feed this data even to tools you cannot modify.
+
 ### What is the data format, exactly?
 
 The data format is described by the JSON schema [here](cargo-auditable.schema.json).

auditable-cyclonedx/Cargo.toml

@@ -12,4 +12,4 @@ categories = ["encoding"]
 
 [dependencies]
 cyclonedx-bom = "0.5.0"
-auditable-serde = {version = "0.6.1", path = "../auditable-serde"}
+auditable-serde = {version = "0.7.0", path = "../auditable-serde"}

auditable-info/CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.8.0] - 2024-07-30
+
+### Changed
+
+- Upgraded to `auditable-serde` v0.7.x
+
 ## [0.7.2] - 2024-05-08
 
 ### Changed

auditable-info/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "auditable-info"
-version = "0.7.2"
+version = "0.8.0"
 authors = ["Sergey \"Shnatsel\" Davidoff <shnatsel@gmail.com>"]
 license = "MIT OR Apache-2.0"
 repository = "https://github.com/rust-secure-code/cargo-auditable"
@@ -13,7 +13,7 @@ edition = "2018"
 [dependencies]
 auditable-extract = {version = "0.3.4", path = "../auditable-extract", default-features = false }
 miniz_oxide = { version = "0.6.2", features = ["std"] }
-auditable-serde = {version = "0.6.0", path = "../auditable-serde", optional = true}
+auditable-serde = {version = "0.7.0", path = "../auditable-serde", optional = true}
 serde_json = { version = "1.0.57", optional = true }
 
 [features]

auditable-info/src/lib.rs

@@ -13,8 +13,6 @@
 //! The supported formats are [ELF](https://en.wikipedia.org/wiki/Executable_and_Linkable_Format),
 //! [PE](https://en.wikipedia.org/wiki/Portable_Executable),
 //! [Mach-O](https://en.wikipedia.org/wiki/Mach-O) and [WebAssembly](https://en.wikipedia.org/wiki/WebAssembly).
-//! Make sure you [enable](https://doc.rust-lang.org/cargo/reference/features.html#dependency-features) the `wasm` feature
-//! if you want to parse WebAssembly.
 //!
 //! If you need an even lower-level interface than the one provided by this crate,
 //! use the [`auditable-extract`](http://docs.rs/auditable-extract/) and

auditable-serde/CHANGELOG.md

@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.7.0] - 2024-07-30
+### Changed
+- Removed the disabled-by-default conversion from the internal format to Cargo.lock. The Cargo.lock format is unstable, and the conversion to CycloneDX is a better idea these days.
+
 ## [0.6.1] - 2024-02-19
 ### Fixed
 - `from_metadata` feature: Fixed creating a cyclic dependency graph under [certain conditions](https://github.com/rustsec/rustsec/issues/1043).

auditable-serde/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "auditable-serde"
-version = "0.6.1"
+version = "0.7.0"
 authors = ["Sergey \"Shnatsel\" Davidoff <shnatsel@gmail.com>"]
 license = "MIT OR Apache-2.0"
 repository = "https://github.com/rust-secure-code/cargo-auditable"
@@ -14,22 +14,16 @@ all-features = true
 [features]
 default = []
 from_metadata = ["cargo_metadata"]
-toml = ["cargo-lock"]
 schema = ["schemars"]
 
 [dependencies]
 serde = { version = "1", features = ["serde_derive"] }
 serde_json = "1.0.57"
 semver = { version = "1.0", features = ["serde"] }
 cargo_metadata = { version = "0.15", optional = true }
-cargo-lock = { version = "9", default-features = false, optional = true }
 topological-sort = "0.2.2"
 schemars = {version = "0.8.10", optional = true }
 
-[[example]]
-name = "json-to-toml"
-required-features = ["toml"]
-
 [[example]]
 name = "from-metadata"
 required-features = ["from_metadata"]