Fast, portable and reliable dependency analysis for any codebase. Supports license & vulnerability scanning for large monoliths. Language-agnostic; integrates with 20+ build systems.
[x] I added tests for this PR's change (or explained in the PR description why tests don't make sense).
~- [ ] If this PR introduced a user-visible change, I added documentation into docs/.~
~- [ ] If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.~
[ ] If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an # Unreleased section at the top.
~- [ ] If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).~
~- [ ] If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.~
Overview
Cargo changed the format of project IDs in the output of
cargo metadata
.Prior to cargo 1.77.0 they looked like this:
For 1.77.0 and greater, they look like this, as defined in https://doc.rust-lang.org/nightly/cargo/reference/pkgid-spec.html
For path dependencies, I've seen them with and without the package name in the fragment:
or
Acceptance criteria
cargo metadata
for new versions of cargocargo metadata
with older versions of cargoTesting plan
Use rustup to install an old and a new version of cargo:
Now, analyze a cargo project with both the old version:
Clean up those output files (you sometimes get some cruft from
cabal run
at the beginning) and then run them through jq or otherwise prettify them.You should now see no difference when you diff the output.
Chris: I did this with foundation which has a mix of path deps and regular ones and got no differences:
Risks
Metrics
References
https://fossa.atlassian.net/browse/ANE-1659
https://teamfossa.slack.com/archives/C043EM3L96Z/p1713558253884749
Checklist
docs/
.~ ~- [ ] If this PR added docs, I added links as appropriate to the user manual's ToC indocs/README.ms
and gave consideration to how discoverable or not my documentation is.~Changelog.md
. If this PR did not mark a release, I added my changes into an# Unreleased
section at the top. ~- [ ] If I made changes to.fossa.yml
orfossa-deps.{json.yml}
, I updateddocs/references/files/*.schema.json
AND I have updated example files used byfossa init
command. You may also need to update these if you have added/removed new dependency type (e.g.pip
) or analysis target type (e.g.poetry
).~ ~- [ ] If I made changes to a subcommand's options, I updateddocs/references/subcommands/<subcommand>.md
.~