`suggest` cmd can suggest same crate+version multiple times

[repi]

For a few unaudited crates in our project running cargo vet suggest lists them multiple times even though they are the same version. Not a major issue though but just a bit odd so thought I should report it.

example:

    cargo vet inspect parking_lot 0.11.2                                                                      (used by bb8, sled, console-subscriber)                        (5584 lines)
    cargo vet inspect parking_lot 0.11.2                                                                      (used by cpal, eterm, pprof, tokio, and 49 others)             (5584 lines)
    cargo vet inspect bitflags 1.3.2                                                                          (used by ndk, nix, nix, nix, png, ron, and 45 others)          (2998 lines)
    cargo vet inspect bitflags 1.3.2                                                                          (used by minidump-writer, fxprof-processed-profile)            (2998 lines)
    cargo vet inspect memoffset 0.6.5                                                                         (used by nix, nix, ark-render)                                 (1007 lines)
    cargo vet inspect memoffset 0.6.5                                                                         (used by speedy)                                               (1007 lines)
    cargo vet inspect memoffset 0.6.5                                                                         (used by crossbeam-epoch, and 2 others)                        (1007 lines)

it also in some cases duplicates the same crate in the "used by", such has in used by ndk, nix, nix, nix, png, ron, and 45 others in the above, would have expected it to list nix just once there.

[bholley]

@repi Thanks for the report, would be good to get that fixed.

Is it perhaps the case that (1) you have both parking_lot 0.11.2 and parking_lot X.Y.Z in the tree, and (2) you have a delta audit for parking_lot X.Y.Z -> 0.11.2? That might plausibly cause this behavior (since each of the suggestions corresponds to a different node in your crate graph, but the suggested action happens to be the same).

If not, is there a way you could provide a minimized testcase?

[repi]

we have 2 parking_lot crates used in this workspace and the lockfile, 0.11.2 and 0.12.1, the memoffset and bitflags crates we also have multiple versions of so that is probably the source of confusion here.

wrt to parking_lot we have a single audit imported for it:

[[audits.zcash.audits.parking_lot]]
who = "Jack Grigg <jack@z.cash>"
criteria = "safe-to-deploy"
delta = "0.11.2 -> 0.12.1"
notes = "Most `unsafe {}` changes were to reduce the scope of the unsafe blocks. I didn't closely review the migration to the asm! macro but it looks reasonable."
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"

and also a single exemption (generated by cargo vet generate exemptions):

[[exemptions.parking_lot]]
version = "0.11.2"
criteria = "safe-to-deploy"

so this combination is probably what is causing it somehow.

[mystor]

The patches in #483 should fix this duplication issue. I believe it is caused by that imported delta audit and generated exemption entry as you expected.

[repi]

thanks!