Remove dependency on cargo-lock

rust-secure-code · Jul 30, 2024 · 7624041 · 7624041
1 parent 38b3733
commit 7624041
Show file tree

Hide file tree

Showing 8 changed files with 12 additions and 248 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/README.md b/README.md
@@ -50,12 +50,12 @@ If you're using a shell other than bash, or if using an alias is not an option,
 When used on images or directories, Rust audit support must be enabled by adding the `--catalogers all` CLI option, e.g `syft --catalogers all <container image containing Rust auditable binary>`.
 * [rust-audit-info](https://crates.io/crates/rust-audit-info) recovers the dependency list from a binary and prints it in JSON.
 
-It is also interoperable with existing tooling that consumes Cargo.lock via the [JSON-to-TOML convertor](auditable-serde/examples/json-to-toml.rs). However, we recommend supporting the format natively; the format is designed to be [very easy to parse](PARSING.md), even if your language does not have a library for that yet.
-
 ### Can I read this data using a tool written in a different language?
 
 Yes. The data format is designed for interoperability with alternative implementations. In fact, parsing it only takes [5 lines of Python](PARSING.md). See [here](PARSING.md) for documentation on parsing the data.
 
+Besides that, Syft can read it and convert it to a multitude of formats. `auditable2cdx` can convert it to CycloneDX, which is understood by most tools. This conversion lets you feed this data even to tools you cannot modify.
+
 ### What is the data format, exactly?
 
 The data format is described by the JSON schema [here](cargo-auditable.schema.json).

diff --git a/auditable-cyclonedx/Cargo.toml b/auditable-cyclonedx/Cargo.toml
@@ -12,4 +12,4 @@ categories = ["encoding"]
 
 [dependencies]
 cyclonedx-bom = "0.5.0"
-auditable-serde = {version = "0.6.1", path = "../auditable-serde"}
+auditable-serde = {version = "0.7.0", path = "../auditable-serde"}
diff --git a/auditable-info/Cargo.toml b/auditable-info/Cargo.toml
@@ -13,7 +13,7 @@ edition = "2018"
 [dependencies]
 auditable-extract = {version = "0.3.4", path = "../auditable-extract", default-features = false }
 miniz_oxide = { version = "0.6.2", features = ["std"] }
-auditable-serde = {version = "0.6.0", path = "../auditable-serde", optional = true}
+auditable-serde = {version = "0.7.0", path = "../auditable-serde", optional = true}
 serde_json = { version = "1.0.57", optional = true }
 
 [features]

diff --git a/auditable-serde/Cargo.toml b/auditable-serde/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "auditable-serde"
-version = "0.6.1"
+version = "0.7.0"
 authors = ["Sergey \"Shnatsel\" Davidoff <[email protected]>"]
 license = "MIT OR Apache-2.0"
 repository = "https://github.com/rust-secure-code/cargo-auditable"
@@ -14,22 +14,16 @@ all-features = true
 [features]
 default = []
 from_metadata = ["cargo_metadata"]
-toml = ["cargo-lock"]
 schema = ["schemars"]
 
 [dependencies]
 serde = { version = "1", features = ["serde_derive"] }
 serde_json = "1.0.57"
 semver = { version = "1.0", features = ["serde"] }
 cargo_metadata = { version = "0.15", optional = true }
-cargo-lock = { version = "9", default-features = false, optional = true }
 topological-sort = "0.2.2"
 schemars = {version = "0.8.10", optional = true }
 
-[[example]]
-name = "json-to-toml"
-required-features = ["toml"]
-
 [[example]]
 name = "from-metadata"
 required-features = ["from_metadata"]
diff --git a/auditable-serde/examples/json-to-toml.rs b/auditable-serde/examples/json-to-toml.rs