more explicit build dependency handling

CycloneDX / cyclonedx-rust-cargo

Creates CycloneDX Software Bill of Materials (SBOM) from Rust (Cargo) projects

https://cyclonedx.org/

Apache License 2.0

106 stars 44 forks source link

more explicit build dependency handling #755

Closed thillux closed 3 months ago

thillux commented 4 months ago

This is a follow up on #736 which was merged and later reverted because of a infinite loop I accidentally produced there.

This PR differs in the following:

test for cyclic dependencies added
fixed dependency kind indexing under presence of cyclic dependencies
changed name of command line option for no build deps in SBOM, as dev deps are already excluded

Shnatsel commented 4 months ago

I retract what I said about resolver v2 - we cannot fix that edge case because cargo metadata doesn't support resolver v2 either.

Please fix the test failures and I'll be happy to merge this.

thillux commented 4 months ago

@Shnatsel ready & thanks for your feedback regarding resolver v2.

Shnatsel commented 4 months ago

Thank you, I will take a look in the next few days.

My revised feedback about resolver v2 is to ignore its existence. cargo metadata does not support it, so there is no way for us to support it either.

I am really sorry about sending you on this wild goose chase. I forgot that Cargo just does not expose enough data for us to handle this correctly.

Shnatsel commented 3 months ago

I'm going to go ahead and merge this to expedite the process. What nits I have I'll address myself in a follow-up PR.

Thank you!