Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Cargo lock file format version 4 #771

Closed
umweltinfo opened this issue Nov 28, 2024 · 8 comments · Fixed by #772
Closed

Support Cargo lock file format version 4 #771

umweltinfo opened this issue Nov 28, 2024 · 8 comments · Fixed by #772

Comments

@umweltinfo
Copy link

Since our last dependency update we are seeing errors like

[2024-11-28T09:23:18Z WARN  cargo_cyclonedx::generator] Failed to parse `Cargo.lock`: parse error: parse error: invalid Cargo.lock format version: `4`
    
    Hashes will not be included in the SBOM.

in our CI jobs to create SBOM.
@umweltinfo
Copy link
Author

I am not sure, but I suspect that the cargo_metadata dependency needs to be updated? Though its CHANGELOG does not appear to mention format version 4, there is a new incompatible version 0.19 available.

@lfrancke
Copy link
Contributor

Thanks for raising the issue. I totally missed that v4 is available.
I just did some quick research. It's been stabilized in Rust 1.78 (May 2024)
rust-lang/cargo#12852

Is this something you'd be willing to create a PR for?

@Shnatsel
Copy link
Contributor

That issue is actually due to cargo-lock crate being too old, not cargo-metadata.

@Shnatsel Shnatsel mentioned this issue Nov 28, 2024
Merged
@Shnatsel
Copy link
Contributor

Also edition 2024 is coming soon, but cargo-metadata v0.18.x is recent enough to handle that. So we don't have to upgrade cargo-metadata, which brought some rather disruptive changes in v0.19.

@Shnatsel
Copy link
Contributor

@umweltinfo please try cargo install --git https://github.com/CycloneDX/cyclonedx-rust-cargo.git and let me know if the version from git works.

@umweltinfo
Copy link
Author

Thanks for the quick fix which appears to work fine!

Note that the installation command needs to be

cargo install --git https://github.com/CycloneDX/cyclonedx-rust-cargo.git cargo-cyclonedx

to select the relevant binary.

Also note that the installation also logs the following warning

warning: profiles for the non root package will be ignored, specify profiles at the workspace root:
package:   /home/ubuntu/.cargo/git/checkouts/cyclonedx-rust-cargo-95925afc4f819a51/1b0b996/cargo-cyclonedx/Cargo.toml
workspace: /home/ubuntu/.cargo/git/checkouts/cyclonedx-rust-cargo-95925afc4f819a51/1b0b996/Cargo.toml

@Shnatsel
Copy link
Contributor

Nice, thanks for confirming! I'll publish a release with the fix later today.

@Shnatsel
Copy link
Contributor

v0.5.7 with the fix is up on crates.io

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Upgrade cargo-lock crate to get support for lockfile v4 Shnatsel/cyclonedx-rust-cargo
3 participants
@lfrancke @Shnatsel @umweltinfo