Comments (12)
root: bool
added in git master. It will be omitted if set to false
to save space.
The next proper release will probably ship next week. Let me know if you need me to publish a pre-release in the meanwhile.
from cargo-auditable.
Oh, I found "source": "local"
and it seems to have direct dependencies. Sorry for the noise.
{
"name": "exa",
"version": "0.10.1",
"source": "local",
"dependencies": [
0,
5,
8,
9,
13,
14,
17,
18,
20,
21,
22,
27,
28,
29,
34,
36,
41
],
"features": [
"default",
"git",
"git2"
]
},
from cargo-auditable.
I don't think something installed from crates.io via cargo install
would have anything with source: "local"
.
It's probably possible to find out the root by resolving the dependency tree, but that's a lot of hassle.
Why do you need to resolve the direct dependencies in the first place? If I understand that, perhaps I'll find a better way to accommodate it.
from cargo-auditable.
There also may be multiple local
packages, e.g if there are path dependencies.
from cargo-auditable.
I got it. Thanks.
It is required in Software Bill of Materials (SBOM). For example, CycloneDX
can represent a dependency graph. We should put which dependencies are used directly from the root project.
https://cyclonedx.org/use-cases/#dependency-graph
In other words, this kind of tree helps supply chain security.
exa v0.10.1 (github.com/ogham/exa)
├── ansi_term v0.12.1
├── datetime v0.5.2
│ ├── libc v0.2.93
│ ├── locale v0.2.2
│ │ └── libc v0.2.93
│ └── pad v0.1.6
│ └── unicode-width v0.1.8
...
If a vulnerability is disclosed in unicode-width v0.1.8
, we can easily know it is introduced by detetime
.
from cargo-auditable.
Ah, the dependency tree is already encoded in the format. What isn't encoded is where the root of the tree is, so there is no convenient place to start walking it.
I can add something like root: true
to the exa
package in your example to make the tree easier to walk. Do you think that's sufficient?
from cargo-auditable.
I can add something like root: true to the exa package in your example to make the tree easier to walk. Do you think that's sufficient?
Yes, it works. Thanks.
from cargo-auditable.
Great. I'll try to add it later today. I'm happy to hear suggestions for the name of the field in the meanwhile.
from cargo-auditable.
root: bool
sounds good to me.
from cargo-auditable.
It occurred to me that the current format allows representing cyclic dependencies, which is undesirable: it may cause infinite loops in any program that tries to walk the tree naively.
I've opened #63 about it and would appreciate your input.
from cargo-auditable.
v0.5.0 with this change has shipped.
from cargo-auditable.
Cool. Thanks!
from cargo-auditable.
Related Issues (20)
- Track C libraries somehow
- Empty copyright placeholder HOT 2
- Upgrade to `object` 0.30
- Add more fields to categories HOT 1
- Proper MSVC support HOT 6
- No way to pass `-C link-arg=` when using both naked LLD and LLD via a compiler wrapper HOT 1
- Include commit hashes for git dependencies HOT 9
- Can't build recent `gitoxide` versions HOT 6
- How does cargo-auditable construct the information that it includes in the binary? HOT 1
- cargo metadata tries to collect dev dependencies HOT 1
- Cargo.lock is outdated HOT 11
- Run CI with `--frozen` HOT 1
- Incompatibility with sccache on long builds HOT 28
- Provide a documented way to use `cargo auditable` as a drop-in replacement for `cargo` HOT 9
- Support `RUSTC` environment variable HOT 1
- Auditability / Cheating HOT 8
- Use cargo-auditable with cross? HOT 6
- Out of the box support for other formats HOT 5
- Add actual git repository for source HOT 4
- Extend with additional (non-rust) dependencies HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cargo-auditable.