cargo-auditable icon indicating copy to clipboard operation
cargo-auditable copied to clipboard
verified publisher icon rust-secure-code

More precise dependency list

Open Shnatsel opened this issue 6 months ago • 4 comments

cargo metadata's feature unification across all dependency types, including dev-dependencies, causes it to over-report the dependency graph in certain cases. This PR works around that, fixing the long-standing issue #66

Shnatsel avatar May 26 '25 03:05 Shnatsel

@Shnatsel , what is the next step with this? How can I help?

jayvdb avatar Jun 17 '25 22:06 jayvdb

The path to shipping this looks like this:

  1. Make parsing cargo tree return a Result instead of panicking. Print a warning and continue if it fails.
  2. Add a rev: 2 field to the generated JSON. It will be a marker that specifies that the dependency tree is accurate. Write it only if parsing cargo tree succeeds.
  3. Do a bunch of housekeeping around adding that field: bump semver where appropriate (in auditable-serde and everything that depends on it), regenerate the JSON schema, anything else that comes up.

You can help by cloning this branch, doing the things from this list and opening a PR with the changes.

Shnatsel avatar Jun 17 '25 22:06 Shnatsel

We've discovered a significant issue with this approach which is documented in #216, I've updated the tests to demonstrate it

Shnatsel avatar Jun 27 '25 15:06 Shnatsel

I believe it will be possible to work around by passing through the working directory as well as flags -p/--package, --workspace, --exclude and --all from the original cargo auditable build call on to cargo tree. This will add a nontrivial amount of complexity, but it should be manageable since we already have all the required infrastructure in place.

Shnatsel avatar Jun 27 '25 15:06 Shnatsel