Determine the root package about cargo-auditable HOT 12 CLOSED

root: bool added in git master. It will be omitted if set to false to save space.

The next proper release will probably ship next week. Let me know if you need me to publish a pre-release in the meanwhile.

from cargo-auditable.

Oh, I found "source": "local" and it seems to have direct dependencies. Sorry for the noise.

    {
      "name": "exa",
      "version": "0.10.1",
      "source": "local",
      "dependencies": [
        0,
        5,
        8,
        9,
        13,
        14,
        17,
        18,
        20,
        21,
        22,
        27,
        28,
        29,
        34,
        36,
        41
      ],
      "features": [
        "default",
        "git",
        "git2"
      ]
    },

from cargo-auditable.

I don't think something installed from crates.io via cargo install would have anything with source: "local".

It's probably possible to find out the root by resolving the dependency tree, but that's a lot of hassle.

Why do you need to resolve the direct dependencies in the first place? If I understand that, perhaps I'll find a better way to accommodate it.

from cargo-auditable.

There also may be multiple local packages, e.g if there are path dependencies.

from cargo-auditable.

I got it. Thanks.
It is required in Software Bill of Materials (SBOM). For example, CycloneDX can represent a dependency graph. We should put which dependencies are used directly from the root project.
https://cyclonedx.org/use-cases/#dependency-graph

In other words, this kind of tree helps supply chain security.

exa v0.10.1 (github.com/ogham/exa)
├── ansi_term v0.12.1
├── datetime v0.5.2
│   ├── libc v0.2.93
│   ├── locale v0.2.2
│   │   └── libc v0.2.93
│   └── pad v0.1.6
│       └── unicode-width v0.1.8
...

If a vulnerability is disclosed in unicode-width v0.1.8, we can easily know it is introduced by detetime.

from cargo-auditable.

Ah, the dependency tree is already encoded in the format. What isn't encoded is where the root of the tree is, so there is no convenient place to start walking it.

I can add something like root: true to the exa package in your example to make the tree easier to walk. Do you think that's sufficient?

from cargo-auditable.

I can add something like root: true to the exa package in your example to make the tree easier to walk. Do you think that's sufficient?

Yes, it works. Thanks.

from cargo-auditable.

Great. I'll try to add it later today. I'm happy to hear suggestions for the name of the field in the meanwhile.

from cargo-auditable.

root: bool sounds good to me.

from cargo-auditable.

It occurred to me that the current format allows representing cyclic dependencies, which is undesirable: it may cause infinite loops in any program that tries to walk the tree naively.

I've opened #63 about it and would appreciate your input.

from cargo-auditable.

v0.5.0 with this change has shipped.

from cargo-auditable.

Cool. Thanks!

from cargo-auditable.