Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix order of rust dependencies and support git sources in Cargo.lock dependencies #3502

Merged
merged 2 commits into from
Dec 6, 2024
Merged

fix order of rust dependencies and support git sources in Cargo.lock dependencies #3502

merged 2 commits into from
Dec 6, 2024

Conversation

willmurphyscode
Copy link
Contributor

Description

This PR has two related effects:

  1. It fixes a bug where the dependency-of relationship in the Cargo.lock cataloger was previously reversed
  2. It implements resolving Cargo.lock dependencies when crates of the same name and version but from different sources (e.g. from git vs from crates.io) are present in the Cargo.lock.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

I'm considering this a bug fix, not a feature, because the previous Cargo.lock relationships PR intended to be correct and complete, and just missed these two things.

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@willmurphyscode
fix: un-reverse Cargo.lock dependencies
8307e61 
Previously, dependencyOf was pointing the wrong way. Use dependency
specification helpers to build the dependency graph.

Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode
feat: parse Cargo.lock git dependency relationships
10205ff 
Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode willmurphyscode added the bug Something isn't working label Dec 6, 2024
@willmurphyscode willmurphyscode self-assigned this Dec 6, 2024
wagoodman
wagoodman approved these changes Dec 6, 2024
View reviewed changes
Copy link
Contributor

@wagoodman wagoodman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💯

@willmurphyscode willmurphyscode enabled auto-merge (squash) December 6, 2024 13:38
@willmurphyscode willmurphyscode merged commit 4adb56d into main Dec 6, 2024
12 checks passed
@willmurphyscode willmurphyscode deleted the fix-rust-dep-order branch December 6, 2024 13:38
spiffcs added a commit that referenced this pull request Dec 9, 2024
@spiffcs
Merge branch 'spdx-absolute-path-file' of https://github.com/anchore/…
14901bd 
…syft into spdx-absolute-path-file

* 'spdx-absolute-path-file' of https://github.com/anchore/syft:
  chore(deps): update CPE dictionary index (#3507)
  chore(deps): update tools to latest versions (#3506)
  chore(deps): bump github.com/magiconair/properties from 1.8.7 to 1.8.9 (#3508)
  chore(deps): bump actions/cache from 4.1.2 to 4.2.0 (#3503)
  Add relationships for rust audit binary packages (#3500)
  fix order of rust dependencies and support git sources in Cargo.lock dependencies (#3502)
  chore(deps): update tools to latest versions (#3501)
  chore(deps): bump golang.org/x/net from 0.31.0 to 0.32.0 (#3499)
  chore: add and document target for updating unit snapshots (#3498)
  fix: emit NOASSERTION for copyright text to fix SPDX 2.2 validation failure (#3495)
@BrewTestBot BrewTestBot mentioned this pull request Dec 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees

@willmurphyscode willmurphyscode

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@willmurphyscode @wagoodman