Skip to content

fix order of rust dependencies and support git sources in Cargo.lock dependencies#3502

Merged
willmurphyscode merged 2 commits intomainfrom
fix-rust-dep-order
Dec 6, 2024
Merged

fix order of rust dependencies and support git sources in Cargo.lock dependencies#3502
willmurphyscode merged 2 commits intomainfrom
fix-rust-dep-order

Conversation

@willmurphyscode
Copy link
Copy Markdown
Contributor

@willmurphyscode willmurphyscode commented Dec 6, 2024

Description

This PR has two related effects:

  1. It fixes a bug where the dependency-of relationship in the Cargo.lock cataloger was previously reversed
  2. It implements resolving Cargo.lock dependencies when crates of the same name and version but from different sources (e.g. from git vs from crates.io) are present in the Cargo.lock.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

I'm considering this a bug fix, not a feature, because the previous Cargo.lock relationships PR intended to be correct and complete, and just missed these two things.

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@willmurphyscode
fix: un-reverse Cargo.lock dependencies
8307e61 
Previously, dependencyOf was pointing the wrong way. Use dependency
specification helpers to build the dependency graph.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
@willmurphyscode
feat: parse Cargo.lock git dependency relationships
10205ff 
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
@willmurphyscode willmurphyscode added the bug Something isn't working label Dec 6, 2024
@willmurphyscode willmurphyscode self-assigned this Dec 6, 2024
wagoodman
wagoodman approved these changes Dec 6, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@wagoodman wagoodman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💯

@willmurphyscode willmurphyscode enabled auto-merge (squash) December 6, 2024 13:38
@willmurphyscode willmurphyscode merged commit 4adb56d into main Dec 6, 2024
@willmurphyscode willmurphyscode deleted the fix-rust-dep-order branch December 6, 2024 13:38
spiffcs added a commit that referenced this pull request Dec 9, 2024
@spiffcs
Merge branch 'spdx-absolute-path-file' of https://github.com/anchore/…
14901bd 
…syft into spdx-absolute-path-file

* 'spdx-absolute-path-file' of https://github.com/anchore/syft:
  chore(deps): update CPE dictionary index (#3507)
  chore(deps): update tools to latest versions (#3506)
  chore(deps): bump github.com/magiconair/properties from 1.8.7 to 1.8.9 (#3508)
  chore(deps): bump actions/cache from 4.1.2 to 4.2.0 (#3503)
  Add relationships for rust audit binary packages (#3500)
  fix order of rust dependencies and support git sources in Cargo.lock dependencies (#3502)
  chore(deps): update tools to latest versions (#3501)
  chore(deps): bump golang.org/x/net from 0.31.0 to 0.32.0 (#3499)
  chore: add and document target for updating unit snapshots (#3498)
  fix: emit NOASSERTION for copyright text to fix SPDX 2.2 validation failure (#3495)
@BrewTestBot BrewTestBot mentioned this pull request Dec 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees

@willmurphyscode willmurphyscode

Labels

bug Something isn't working

Projects

OSS
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@willmurphyscode @wagoodman