Skip to content

Clarify package ID specifications in SBOMs are fully qualified#15731

Merged
weihanglo merged 2 commits intorust-lang:masterfrom
tofay:sbom-fully-qualified
Jul 5, 2025
Merged

Clarify package ID specifications in SBOMs are fully qualified#15731
weihanglo merged 2 commits intorust-lang:masterfrom
tofay:sbom-fully-qualified

Conversation

@tofay
Copy link
Contributor

@tofay tofay commented Jul 5, 2025

What does this PR try to resolve?

cargo-auditable 0.7.0 will use the unstable Cargo SBOM precursor files if a user configures Cargo to generate the SBOM files. cargo-auditable assumes that the package ID specifiers in Cargo SBOM files are fully qualified.

We'd like to enforce this assumption in Cargo so we can keep our package ID spec parsing simpler by not considering non-fully qualified package ID specs. This PR updates the cargo docs to state where fully qualified package ID specs are used, and also adds SBOMs to the existing cargo pkgid test that is currently enforcing consistency between the various usages of fully qualified package id specs.

Previously raised at #t-cargo > sbom missing name, version, source @ 💬

How to test and review this PR?

Change doesn't affect current behaviour.

@rustbot
Copy link
Collaborator

rustbot commented Jul 5, 2025

r? @epage

rustbot has assigned @epage.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

@rustbot rustbot added A-documenting-cargo-itself Area: Cargo's documentation S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Jul 5, 2025
@tofay tofay force-pushed the sbom-fully-qualified branch from bde57ce to 8feacfc Compare July 5, 2025 19:54
@tofay
Enforce pkgid and sbom consistency
c74fadc 
clarify fully qualified package ID usage in docs
@tofay tofay force-pushed the sbom-fully-qualified branch from 8feacfc to c74fadc Compare July 5, 2025 19:59
weihanglo
weihanglo reviewed Jul 5, 2025
View reviewed changes
Copy link
Member

@weihanglo weihanglo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the help!

src/doc/src/reference/pkgid-spec.md Outdated
if there are two versions of the `regex` package in the graph, then it can be
qualified with a version to make it unique, such as `regex@1.4.3`.

Fully qualified package ID specifications are output by Cargo in:
Copy link
Member

@weihanglo weihanglo Jul 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am a bit unsure whether we want an exhaustive list. Basically all outputs of package ID spec by Cargo should be fully qualified. Having a list here means we have one more thing needing to be in sync. Like, this doesn't mention the unstable --unit-graph output.

Copy link
Contributor Author

@tofay tofay Jul 5, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok - I've replaced the list with that generalization.

@tofay
generalize cargo's use of fully qualified
6713b1a 
rather than providing an exhaustive list
weihanglo
weihanglo approved these changes Jul 5, 2025
View reviewed changes
Copy link
Member

@weihanglo weihanglo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@weihanglo weihanglo added this pull request to the merge queue Jul 5, 2025
Merged via the queue into rust-lang:master with commit 425af55 Jul 5, 2025
24 checks passed
@rustbot rustbot removed the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Jul 5, 2025
@weihanglo weihanglo mentioned this pull request Jul 11, 2025
Merged
bors added a commit to rust-lang/rust that referenced this pull request Jul 12, 2025
@bors
Auto merge of #143809 - weihanglo:update-cargo, r=weihanglo
9535fee 
Update cargo

14 commits in 930b4f62cfcd1f0eabdb30a56d91bf6844b739bf..eabb4cd923deb73e714f7ad3f5234d68ca284dbe
2025-06-28 14:58:43 +0000 to 2025-07-09 22:07:55 +0000
- feat: Implementation and tests for `multiple-build-scripts` (rust-lang/cargo#15704)
- perf: Speed up TOML parsing by upgrading toml (rust-lang/cargo#15736)
- Mark cachelock tests that rely on interprocess blocking behaviour as unsupported on AIX. (rust-lang/cargo#15734)
- feat(publish): Stabilize multi-package publishing (rust-lang/cargo#15636)
- Update to Rust 2024 (rust-lang/cargo#15732)
- Clarify package ID specifications in SBOMs are fully qualified (rust-lang/cargo#15731)
- chore(deps): update cargo-semver-checks to v0.42.0 (rust-lang/cargo#15730)
- test: Switch config tests to use snapshots (rust-lang/cargo#15729)
- implement package feature unification (rust-lang/cargo#15684)
- chore: Upgrade dependencies (rust-lang/cargo#15722)
- Report valid file name when we can't find a build target for `name = "foo.rs"` (rust-lang/cargo#15707)
- chore(release): Publish build-rs on release (rust-lang/cargo#15708)
- Override `Cargo.lock` checksums when doing a dry-run `publish` (rust-lang/cargo#15711)
- test(rustfix): Update for nightly (rust-lang/cargo#15717)

r? ghost
@rustbot rustbot added this to the 1.90.0 milestone Jul 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@weihanglo weihanglo weihanglo approved these changes

Assignees

@epage epage

Labels

A-documenting-cargo-itself Area: Cargo's documentation

Projects

None yet

Milestone

1.90.0

Development

Successfully merging this pull request may close these issues.

4 participants

@tofay @rustbot @weihanglo @epage