Skip to content

Commit 15cbd7b

Browse files
tofaytofay
committed
select first discovered SBOM file
1 parent 3634e94 commit 15cbd7b

File tree

2 files changed

+6
-9
lines changed

2 files changed

+6
-9
lines changed

cargo-auditable/src/collect_audit_data.rs

Lines changed: 5 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -13,14 +13,11 @@ pub fn compressed_dependency_list(rustc_args: &RustcArgs, target_triple: &str) -
1313

1414
// If cargo has created precursor SBOM files, use them instead of `cargo metadata`.
1515
let version_info = if sbom_path.as_ref().map(|p| !p.is_empty()).unwrap_or(false) {
16-
let sbom_paths = std::env::split_paths(&sbom_path.unwrap()).collect::<Vec<_>>();
17-
// Cargo may create multiple SBOM precursor files.
18-
// We can't control per-binary (or cdylib) dependency information, just grab the first non-rlib SBOM we find.
19-
let sbom_path = sbom_paths
20-
.iter()
21-
.find(|p| !p.ends_with(".rlib.cargo-sbom.json"))
22-
.unwrap_or_else(|| &sbom_paths[0]);
23-
let sbom_data: Vec<u8> = std::fs::read(sbom_path)
16+
// Cargo creates an SBOM file for each output file (rlib, bin, cdylib, etc),
17+
// but the SBOM file is identical for each output file in a given rustc crate compilation,
18+
// so we can just use the first SBOM we find.
19+
let sbom_path = std::env::split_paths(&sbom_path.unwrap()).next().unwrap();
20+
let sbom_data: Vec<u8> = std::fs::read(&sbom_path)
2421
.unwrap_or_else(|_| panic!("Failed to read SBOM file at {}", sbom_path.display()));
2522
let sbom_precursor: sbom_precursor::SbomPrecursor = serde_json::from_slice(&sbom_data)
2623
.unwrap_or_else(|_| panic!("Failed to parse SBOM file at {}", sbom_path.display()));

cargo-auditable/src/sbom_precursor.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ impl From<SbomPrecursor> for VersionInfo {
2323
// cargo sbom data format has more nodes than the auditable info format - if a crate is both a build
2424
// and runtime dependency it will appear twice in the `crates` array.
2525
// The `VersionInfo` format lists each package only once, with a single `kind` field
26-
// (Runtime having precence over other kinds).
26+
// (Runtime having precedence over other kinds).
2727

2828
// Firstly, we deduplicate the (name, version) pairs and create a mapping from the
2929
// original indices in the cargo sbom array to the new index in the auditable info package array.

0 commit comments

Comments
 (0)