Closed tofay closed 2 years ago
I've rebased, this is ready for review now.
I added the https://github.com/tofay/cargo-spdx/commit/992cd855f47b48d8485f9c722d2ffbbd84c45478 changes here too, to use cargo package --list
to get source files in the current workspace.
LGTM!
Follows on from https://github.com/alilleybrinker/cargo-spdx/pull/9. Not worth reviewing this in detail until that's resolved.
Read the relevant rustc/cargo dep-info files to determine the source files used in the build.
cargo build
messages, and is used to navigate to the dep_info fileThese are then included in the SBOM relative to the owning package root, to avoid leaking any host specific paths into the SBOMs. A relationship is added between each file and its owning package, which is already a dependency of the binary from changes in https://github.com/alilleybrinker/cargo-spdx/pull/9.