Merge pull request #752 from CycloneDX/revert-736-strip-build-deps

Revert "more explicit build dependency handling"

cargo-cyclonedx/src/cli.rs

@@ -100,10 +100,6 @@ Defaults to the host target, as printed by 'rustc -vV'"
  /// The CycloneDX specification version to output: `1.3`, `1.4` or `1.5`. Defaults to 1.3
  #[clap(long = "spec-version")]
  pub spec_version: Option<SpecVersion>,
-
- /// List only dependencies of kind normal (no build deps, no dev deps)
- #[clap(name = "only-normal-deps", long = "only-normal-deps")]
- pub only_normal_deps: bool,
 }
 
 impl Args {
@@ -174,7 +170,6 @@ impl Args {
 
  let describe = self.describe;
  let spec_version = self.spec_version;
- let only_normal_deps = Some(self.only_normal_deps);
 
  Ok(SbomConfig {
  format: self.format,
@@ -185,7 +180,6 @@ impl Args {
  license_parser,
  describe,
  spec_version,
- only_normal_deps,
  })
  }
 }
@@ -196,11 +190,6 @@ pub enum ArgsError {
  FilenameOverrideError(#[from] FilenameOverrideError),
 }
 
-#[cfg(test)]
-pub fn parse_to_config(args: &[&str]) -> SbomConfig {
- Args::parse_from(args.iter()).as_config().unwrap()
-}
-
 #[cfg(test)]
 mod tests {
  use super::*;
@@ -233,6 +222,10 @@ mod tests {
  assert!(!contains_feature(&config, ""));
  }
 
+ fn parse_to_config(args: &[&str]) -> SbomConfig {
+ Args::parse_from(args.iter()).as_config().unwrap()
+ }
+
  fn contains_feature(config: &SbomConfig, feature: &str) -> bool {
  config
  .features

cargo-cyclonedx/src/config.rs

@@ -33,7 +33,6 @@ pub struct SbomConfig {
  pub license_parser: Option<LicenseParserOptions>,
  pub describe: Option<Describe>,
  pub spec_version: Option<SpecVersion>,
- pub only_normal_deps: Option<bool>,
 }
 
 impl SbomConfig {
@@ -58,7 +57,6 @@ impl SbomConfig {
  .or_else(|| self.license_parser.clone()),
  describe: other.describe.or(self.describe),
  spec_version: other.spec_version.or(self.spec_version),
- only_normal_deps: other.only_normal_deps.or(self.only_normal_deps),
  }
  }
 

cargo-cyclonedx/src/generator.rs

@@ -1,5 +1,4 @@
 use crate::config::Describe;
-use std::cmp::min;
 /*
  * This file is part of CycloneDX Rust Cargo.
  *
@@ -55,8 +54,8 @@ use once_cell::sync::Lazy;
 use regex::Regex;
 
 use log::Level;
+use std::collections::BTreeMap;
 use std::collections::HashMap;
-use std::collections::{BTreeMap, LinkedList};
 use std::convert::TryFrom;
 use std::fs::File;
 use std::io::BufWriter;
@@ -69,42 +68,6 @@ use validator::validate_email;
 // Maps from PackageId to Package for efficiency - faster lookups than in a Vec
 type PackageMap = BTreeMap<PackageId, Package>;
 type ResolveMap = BTreeMap<PackageId, Node>;
-type DependencyKindMap = BTreeMap<PackageId, DependencyKind>;
-
-/// The values are ordered from weakest to strongest so that casting to integer would make sense
-#[derive(Debug, PartialEq, Eq, PartialOrd, Ord, Copy, Clone)]
-enum PrivateDepKind {
- Development,
- Build,
- Runtime,
-}
-impl From<PrivateDepKind> for DependencyKind {
- fn from(priv_kind: PrivateDepKind) -> Self {
- match priv_kind {
- PrivateDepKind::Development => DependencyKind::Development,
- PrivateDepKind::Build => DependencyKind::Build,
- PrivateDepKind::Runtime => DependencyKind::Normal,
- }
- }
-}
-
-impl From<&DependencyKind> for PrivateDepKind {
- fn from(kind: &DependencyKind) -> Self {
- match kind {
- DependencyKind::Normal => PrivateDepKind::Runtime,
- DependencyKind::Development => PrivateDepKind::Development,
- DependencyKind::Build => PrivateDepKind::Build,
- _ => panic!("Unknown dependency kind"),
- }
- }
-}
-
-fn strongest_dep_kind(deps: &[cargo_metadata::DepKindInfo]) -> PrivateDepKind {
- deps.iter()
- .map(|d| PrivateDepKind::from(&d.kind))
- .max()
- .unwrap_or(PrivateDepKind::Runtime) // for compatibility with Rust earlier than 1.41
-}
 
 pub struct SbomGenerator {
  config: SbomConfig,
@@ -135,13 +98,11 @@ impl SbomGenerator {
  for member in members.iter() {
  log::trace!("Processing the package {}", member);
 
- let dep_kinds = index_dep_kinds(member, &resolve);
-
  let (dependencies, pruned_resolve) =
  if config.included_dependencies() == IncludedDependencies::AllDependencies {
- all_dependencies(member, &packages, &resolve, config)
+ all_dependencies(member, &packages, &resolve)
  } else {
- top_level_dependencies(member, &packages, &resolve, config)
+ top_level_dependencies(member, &packages, &resolve)
  };
 
  let manifest_path = packages[member].manifest_path.clone().into_std_path_buf();
@@ -167,7 +128,7 @@ impl SbomGenerator {
  crate_hashes,
  };
  let (bom, target_kinds) =
- generator.create_bom(member, &dependencies, &pruned_resolve, &dep_kinds)?;
+ generator.create_bom(member, &dependencies, &pruned_resolve)?;
 
  let generated = GeneratedSbom {
  bom,
@@ -188,15 +149,14 @@ impl SbomGenerator {
  package: &PackageId,
  packages: &PackageMap,
  resolve: &ResolveMap,
- dep_kinds: &DependencyKindMap,
  ) -> Result<(Bom, TargetKinds), GeneratorError> {
  let mut bom = Bom::default();
  let root_package = &packages[package];
 
  let components: Vec<_> = packages
  .values()
  .filter(|p| &p.id != package)
- .map(|component| self.create_component(component, root_package, dep_kinds))
+ .map(|component| self.create_component(component, root_package))
  .collect();
 
  bom.components = Some(Components(components));
@@ -210,12 +170,7 @@ impl SbomGenerator {
  Ok((bom, target_kinds))
  }
 
- fn create_component(
- &self,
- package: &Package,
- root_package: &Package,
- dep_kinds: &DependencyKindMap,
- ) -> Component {
+ fn create_component(&self, package: &Package, root_package: &Package) -> Component {
  let name = package.name.to_owned().trim().to_string();
  let version = package.version.to_string();
 
@@ -235,13 +190,7 @@ impl SbomGenerator {
  );
 
  component.purl = purl;
- component.scope = match dep_kinds
- .get(&package.id)
- .unwrap_or(&DependencyKind::Normal)
- {
- DependencyKind::Normal => Some(Scope::Required),
- _ => Some(Scope::Excluded),
- };
+ component.scope = Some(Scope::Required);
  component.external_references = Self::get_external_references(package);
  component.licenses = self.get_licenses(package);
  component.hashes = self.get_hashes(package);
@@ -257,7 +206,7 @@ impl SbomGenerator {
  /// Same as [Self::create_component] but also includes information
  /// on binaries and libraries comprising it as subcomponents
  fn create_toplevel_component(&self, package: &Package) -> (Component, TargetKinds) {
- let mut top_component = self.create_component(package, package, &DependencyKindMap::new());
+ let mut top_component = self.create_component(package, package);
  let mut subcomponents: Vec<Component> = Vec::new();
  let mut target_kinds = HashMap::new();
  for tgt in filter_targets(&package.targets) {
@@ -593,49 +542,6 @@ fn index_resolve(packages: Vec<Node>) -> ResolveMap {
  .collect()
 }
 
-fn index_dep_kinds(root: &PackageId, resolve: &ResolveMap) -> DependencyKindMap {
- // cache strongest found dependency kind for every node
- let mut id_to_dep_kind: HashMap<&PackageId, PrivateDepKind> = HashMap::new();
- id_to_dep_kind.insert(root, PrivateDepKind::Runtime);
-
- let root_node = &resolve[root];
- let mut nodes_to_visit = LinkedList::<&Node>::new();
- nodes_to_visit.push_front(root_node);
-
- // perform a simple iterative DFS over the dependencies,
- // mark child deps with the minimum of parent kind and their own strongest value
- // therefore e.g. mark decendants of build dependencies as build dependencies,
- // as long as they never occur as normal dependency.
- while !nodes_to_visit.is_empty() {
- let node = nodes_to_visit.pop_front().unwrap();
- let parent_node_kind = id_to_dep_kind[&node.id];
-
- for child_dep in &node.deps {
- let child_node = &resolve[&child_dep.pkg];
- let dep_kind = strongest_dep_kind(child_dep.dep_kinds.as_slice());
- let child_node_kind = min(parent_node_kind, dep_kind);
-
- let dep_kind_on_previous_visit = id_to_dep_kind.get(&child_node.id);
- // insert/update a nodes dependency kind, when its new or stronger than the previous value
- if dep_kind_on_previous_visit.is_none()
- || child_node_kind > *dep_kind_on_previous_visit.unwrap()
- {
- let _ = id_to_dep_kind.insert(&child_node.id, child_node_kind);
- }
-
- // cargo metadata already return a DAG, so assume this will terminate
- // and don't mark already visited notes. It's ok and necessary to visit
- // deps as often as they occur.
- nodes_to_visit.push_front(child_node);
- }
- }
-
- id_to_dep_kind
- .iter()
- .map(|(x, y)| ((*x).clone(), DependencyKind::from(*y)))
- .collect()
-}
-
 #[derive(Error, Debug)]
 pub enum GeneratorError {
  #[error("Expected a root package in the cargo config: {config_filepath}")]
@@ -678,15 +584,13 @@ fn top_level_dependencies(
  root: &PackageId,
  packages: &PackageMap,
  resolve: &ResolveMap,
- config: &SbomConfig,
 ) -> (PackageMap, ResolveMap) {
  log::trace!("Adding top-level dependencies to SBOM");
 
  // Only include packages that have dependency kinds other than "Development"
- let root_node = add_filtered_dependencies(&resolve[root], config);
+ let root_node = strip_dev_dependencies(&resolve[root]);
 
  let mut pkg_result = PackageMap::new();
-
  // Record the root package, then its direct non-dev dependencies
  pkg_result.insert(root.to_owned(), packages[root].to_owned());
  for id in &root_node.dependencies {
@@ -711,7 +615,6 @@ fn all_dependencies(
  root: &PackageId,
  packages: &PackageMap,
  resolve: &ResolveMap,
- config: &SbomConfig,
 ) -> (PackageMap, ResolveMap) {
  log::trace!("Adding all dependencies to SBOM");
 
@@ -732,11 +635,9 @@ fn all_dependencies(
  // If we haven't processed this node yet...
  if !out_resolve.contains_key(&node.id) {
  // Add the node to the output
- out_resolve.insert(node.id.to_owned(), add_filtered_dependencies(node, config));
+ out_resolve.insert(node.id.to_owned(), strip_dev_dependencies(node));
  // Queue its dependencies for the next BFS loop iteration
- next_queue.extend(
- filtered_dependencies(&node.deps, config).map(|dep| &resolve[&dep.pkg]),
- );
+ next_queue.extend(non_dev_dependencies(&node.deps).map(|dep| &resolve[&dep.pkg]));
  }
  }
  std::mem::swap(&mut current_queue, &mut next_queue);
@@ -752,27 +653,20 @@ fn all_dependencies(
  (out_packages, out_resolve)
 }
 
-fn add_filtered_dependencies(node: &Node, config: &SbomConfig) -> Node {
+fn strip_dev_dependencies(node: &Node) -> Node {
  let mut node = node.clone();
- node.deps = filtered_dependencies(&node.deps, config).cloned().collect();
+ node.deps = non_dev_dependencies(&node.deps).cloned().collect();
  node.dependencies = node.deps.iter().map(|d| d.pkg.to_owned()).collect();
  node
 }
 
 /// Filters out dependencies only used for development, and not affecting the final binary.
 /// These are specified under `[dev-dependencies]` in Cargo.toml.
-fn filtered_dependencies<'a>(
- input: &'a [NodeDep],
- config: &'a SbomConfig,
-) -> impl Iterator<Item = &'a NodeDep> {
+fn non_dev_dependencies(input: &[NodeDep]) -> impl Iterator<Item = &NodeDep> {
  input.iter().filter(|p| {
- p.dep_kinds.iter().any(|dep| {
- if let Some(true) = config.only_normal_deps {
- dep.kind == DependencyKind::Normal
- } else {
- dep.kind != DependencyKind::Development
- }
- })
+ p.dep_kinds
+ .iter()
+ .any(|dep| dep.kind != DependencyKind::Development)
  })
 }
 
@@ -783,7 +677,6 @@ fn filtered_dependencies<'a>(
 /// * `package_name` - Package from which this SBOM was generated
 /// * `sbom_config` - Configuration options used during generation
 /// * `target_kinds` - Detailed information on the kinds of targets in `sbom`
-#[derive(Debug)]
 pub struct GeneratedSbom {
  pub bom: Bom,
  pub manifest_path: PathBuf,