Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Cargo (Rust) as supported package manager #724

Closed
tsteenbe opened this issue Aug 1, 2018 · 5 comments

Comments

3 participants
@tsteenbe
Copy link
Member

commented Aug 1, 2018

Add support for the Cargo dependency manager to the analyzer module.

https://github.com/rust-lang/cargo
https://doc.rust-lang.org/cargo/

@tsteenbe tsteenbe changed the title analyzer: Add Cargo support Add Cargo (Rust) as supported package manager Aug 1, 2018

@tsteenbe tsteenbe added this to Q4 2018 in Kanban + Roadmap Aug 1, 2018

@sschuberth

This comment has been minimized.

Copy link
Collaborator

commented Sep 7, 2018

/cc @fbenkstein 😉

@fbenkstein

This comment has been minimized.

Copy link

commented Sep 11, 2018

@tsteenbe

This comment has been minimized.

Copy link
Member Author

commented Sep 12, 2018

For ORT to work we need 3 things:

  • dependency tree including package name, version
  • declared license for a package
  • source code location of the package (VCS location + revision, package source code/binary artifact)

No plugin should be required/to be installed in order to analyze Cargo/Rust based projects

For the dependency tree, found the following:

@tsteenbe

This comment has been minimized.

Copy link
Member Author

commented Sep 12, 2018

Offtopic - when we want to add Rust security advisories we could look at https://crates.rs/crates/cargo-audit

@fbenkstein fbenkstein self-assigned this Oct 9, 2018

@tsteenbe tsteenbe moved this from To do Q1 2019 to To Do Q2 2019 in Kanban + Roadmap Jan 14, 2019

@sschuberth

This comment has been minimized.

Copy link
Collaborator

commented Apr 26, 2019

Another tool that might be useful: https://github.com/Nemo157/cargo-lichking

@fbenkstein fbenkstein removed their assignment Jun 25, 2019

@boxdot boxdot referenced this issue Jul 1, 2019

Merged

Cargo support #1602

boxdot added a commit to boxdot/oss-review-toolkit that referenced this issue Jul 3, 2019

Add support for Rust's package manager Cargo.
The package manager builds in general from source archives called
crates that are downloaded from crates.io or a custom crates
registry. The only exception are the dependencies specified through a
[path] or through [git] repository.

The information about the projects and its dependencies is fully
provided by the `cargo metadata` command. In particular, it resolves
the dependency tree of the project. The information is produced from
the project definition `Cargo.toml` and its lock file `Cargo.lock`.
The latter file is generated by the metadata command if it does not
exist. Note that for workspaces `Cargo.lock` is generated next to the
workspace definition, therefore in that case we try to find it in the
parent directories.

The `downloader` is changed to prefer crates instead of downloading
the source code from VCS for Cargo packages.

Also, since the downloader is not following redirects, a crate is
downloaded without a crate extension and therefore needs to be
renamed, since the mime-type detection for `unpack` is based on the
file extension.

Resolves heremaps#724

[path]: https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#specifying-path-dependencies
[git]: https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#specifying-dependencies-from-git-repositories

Signed-off-by: boxdot <d@zerovolt.org>

boxdot added a commit to boxdot/oss-review-toolkit that referenced this issue Jul 11, 2019

Add support for Rust's package manager Cargo.
The package manager builds in general from source archives called
crates that are downloaded from crates.io or a custom crates
registry. The only exception are the dependencies specified through a
[path] or through [git] repository. For now, cargo does not support
binary artifacts.

The information about the projects and its dependencies is fully
provided by the `cargo metadata` command. In particular, it resolves
the dependency tree of the project. The information is produced from
the project definition `Cargo.toml` and its lock file `Cargo.lock`.
The latter file is generated by the metadata command if it does not
exist. Note that for workspaces `Cargo.lock` is generated next to the
workspace definition.

The `downloader` is changed to prefer crates instead of downloading
the source code from VCS for Cargo packages.

Resolves heremaps#724

[path]: https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#specifying-path-dependencies
[git]: https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#specifying-dependencies-from-git-repositories

Signed-off-by: boxdot <d@zerovolt.org>

boxdot added a commit to boxdot/oss-review-toolkit that referenced this issue Jul 11, 2019

Add support for Rust's package manager Cargo.
The package manager builds in general from source archives called
crates that are downloaded from crates.io or a custom crates
registry. The only exception are the dependencies specified through a
[path] or through [git] repository. For now, cargo does not support
binary artifacts.

The information about the projects and its dependencies is fully
provided by the `cargo metadata` command. In particular, it resolves
the dependency tree of the project. The information is produced from
the project definition `Cargo.toml` and its lock file `Cargo.lock`.
The latter file is generated by the metadata command if it does not
exist. Note that for workspaces `Cargo.lock` is generated next to the
workspace definition.

The `downloader` is changed to prefer crates instead of downloading
the source code from VCS for Cargo packages.

Resolves heremaps#724

[path]: https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#specifying-path-dependencies
[git]: https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#specifying-dependencies-from-git-repositories

Signed-off-by: boxdot <d@zerovolt.org>

boxdot added a commit to boxdot/oss-review-toolkit that referenced this issue Jul 11, 2019

Add support for Rust's package manager Cargo.
The package manager builds in general from source archives called
crates that are downloaded from crates.io or a custom crates
registry. The only exception are the dependencies specified through a
[path] or through [git] repository. For now, cargo does not support
binary artifacts.

The information about the projects and its dependencies is fully
provided by the `cargo metadata` command. In particular, it resolves
the dependency tree of the project. The information is produced from
the project definition `Cargo.toml` and its lock file `Cargo.lock`.
The latter file is generated by the metadata command if it does not
exist. Note that for workspaces `Cargo.lock` is generated next to the
workspace definition.

The `downloader` is changed to prefer crates instead of downloading
the source code from VCS for Cargo packages.

Resolves heremaps#724

[path]: https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#specifying-path-dependencies
[git]: https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#specifying-dependencies-from-git-repositories

Signed-off-by: boxdot <d@zerovolt.org>

Kanban + Roadmap automation moved this from To Do Q2 2019 to Done Jul 11, 2019

sschuberth added a commit that referenced this issue Jul 11, 2019

Add support for Rust's package manager Cargo.
The package manager builds in general from source archives called
crates that are downloaded from crates.io or a custom crates
registry. The only exception are the dependencies specified through a
[path] or through [git] repository. For now, cargo does not support
binary artifacts.

The information about the projects and its dependencies is fully
provided by the `cargo metadata` command. In particular, it resolves
the dependency tree of the project. The information is produced from
the project definition `Cargo.toml` and its lock file `Cargo.lock`.
The latter file is generated by the metadata command if it does not
exist. Note that for workspaces `Cargo.lock` is generated next to the
workspace definition.

The `downloader` is changed to prefer crates instead of downloading
the source code from VCS for Cargo packages.

Resolves #724

[path]: https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#specifying-path-dependencies
[git]: https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#specifying-dependencies-from-git-repositories

Signed-off-by: boxdot <d@zerovolt.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.