TC-2279 has_sbom: subject artifact management

[mrizzi]

https://issues.redhat.com/browse/TC-2279

[helio-frota]

@mrizzi seems related to rust update

error: package `native-tls v0.2.14` cannot be built because it requires rustc 1.80.0 or newer, while the currently active rustc version is 1.77.2

We can relate with #78

[mrizzi]

@mrizzi seems related to rust update

error: package `native-tls v0.2.14` cannot be built because it requires rustc 1.80.0 or newer, while the currently active rustc version is 1.77.2

We can relate with #78

@helio-frota wouldn't the update of this project's toolchain cause issues when building trustification due to https://github.com/trustification/trustification/blob/3bddbdbd25f7444e3d25aa063dc625e6729d8d30/rust-toolchain.toml#L2?

@dejanb WDYT?

[helio-frota]

@mrizzi I'm not sure, something to test 👍

what I know is that something may happen with trustification at some point like happened with your PR 👍

I'll build using guac-rs from github to see what happens

[helio-frota]

Apparently this PR #78 is not working anymore or I have issues with my cargo setup

something insists to keep these versions:

➜  index.crates.io-6f17d22bba15001f rm -Rf nuid-0.3.2/
➜  index.crates.io-6f17d22bba15001f rm -Rf async-nats-0.29.0/

Causing build errors:

error[E0432]: unresolved import `rand::distributions`
  --> /home/heliofrota/.cargo/registry/src/index.crates.io-6f17d22bba15001f/nuid-0.3.2/src/lib.rs:19:11
   |
19 | use rand::distributions::Alphanumeric;
   |           ^^^^^^^^^^^^^ could not find `distributions` in `rand`

error[E0599]: the method `sample_iter` exists for struct `OsRng`, but its trait bounds were not satisfied
  --> /home/heliofrota/.cargo/registry/src/index.crates.io-6f17d22bba15001f/nuid-0.3.2/src/lib.rs:82:27
   |
82 |         for (i, n) in rng.sample_iter(&Alphanumeric).take(PRE_LEN).enume...
   |                           ^^^^^^^^^^^ method cannot be called on `OsRng` due to unsatisfied trait bounds
   |
  ::: /home/heliofrota/.cargo/registry/src/index.crates.io-6f17d22bba15001f/rand_core-0.9.3/src/os.rs:47:1

apparently related to async-nats, that is declared as 0.39

[workspace.dependencies]
anyhow = "1.0.39"
async-nats = "0.39"

and the Cargo.lock shows some other async-nats dependencies:

➜  guac-rs git:(updates) ✗ cat Cargo.lock | rg async-nats -A 2 -B 2

[[package]]
name = "async-nats"
version = "0.29.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1174495e436c928905018f10a36160f7a8a6786450f50f4ce7fba05d1539704c"
dependencies = [
 "async-nats-tokio-rustls-deps",
 "base64 0.13.1",
 "base64-url",
--

[[package]]
name = "async-nats"
version = "0.39.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
--

[[package]]
name = "async-nats-tokio-rustls-deps"
version = "0.24.0-ALPHA.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
--
dependencies = [
 "anyhow",
 "async-nats 0.29.0",
 "async-std",
 "async-trait",
--
dependencies = [
 "anyhow",
 "async-nats 0.39.0",
 "async-trait",
 "chrono",

I'll uninstall rust and try again

[helio-frota]

no problem with my setup, after uninstalling rust the error continues, rustup self uninstall to test 👍

[helio-frota]

we are having a cyclic dependency issue that got worst overtime, (since the PR worked (past year)) :

➜  guac-rs git:(updates) ✗ cargo tree --depth 3 | rg "async\-nats" -B 10
guac v0.7.2-0 (/home/heliofrota/Desktop/tc/guac-rs/lib)
├── anyhow v1.0.97
├── async-nats v0.39.0
--
│   │   ├── log v0.4.26 (*)
│   │   └── regex v1.11.1 (*)
│   ├── humantime v2.1.0
│   └── log v0.4.26 (*)
├── exporter v0.1.0 (https://github.com/trustification/trustification.git?tag=v0.1.0-nightly.9382a428#9382a428) < ------
│   ├── anyhow v1.0.97
│   ├── clap v4.5.31 (*)
│   ├── futures v0.3.31 (*)
│   ├── guac v0.1.0 (https://github.com/trustification/guac-rs.git?rev=5b8cad8342d42072a72ef4a149348d0d86a84176#5b8cad83)
│   │   ├── anyhow v1.0.97
│   │   ├── async-nats v0.29.0 < ------

➜  guac-rs git:(updates) ✗ cargo tree --depth 3 | rg "nuid" -B 20
├── async-nats v0.39.0 < -----
│   ├── base64 v0.22.1
│   ├── bytes v1.10.0
│   │   └── serde v1.0.218
│   ├── futures v0.3.31
│   │   ├── futures-channel v0.3.31
│   │   ├── futures-core v0.3.31
│   │   ├── futures-executor v0.3.31
│   │   ├── futures-io v0.3.31
│   │   ├── futures-sink v0.3.31
│   │   ├── futures-task v0.3.31
│   │   └── futures-util v0.3.31
│   ├── memchr v2.7.4
│   ├── nkeys v0.4.4
│   │   ├── data-encoding v2.8.0
│   │   ├── ed25519 v2.2.3
│   │   ├── ed25519-dalek v2.1.1
│   │   ├── log v0.4.26
│   │   ├── rand v0.8.5
│   │   └── signatory v0.27.1
│   ├── nuid v0.5.0 < -------------

same error downgrading async-nats...

-async-nats = "0.38"
+async-nats = "0.29"

[helio-frota]

and the main branch is not building

➜  guac-rs git:(main) cargo build
    Updating crates.io index
  Downloaded graphql_client v0.14.0
  Downloaded prost v0.12.6
  Downloaded graphql_query_derive v0.14.0
  Downloaded tonic-build v0.11.0
  Downloaded prost-derive v0.12.6
  Downloaded prost-types v0.12.6
  Downloaded prost-build v0.12.6
  Downloaded graphql_client_codegen v0.14.0
  Downloaded tonic v0.11.0
  Downloaded rustls v0.22.4
  Downloaded async-nats v0.35.1
  Downloaded tokio-rustls v0.25.0
  Downloaded 12 crates (1.1 MB) in 0.98s
error: package `zerofrom v0.1.6` cannot be built because it requires rustc 1.81 or newer, while the currently active rustc version is 1.77.2
Either upgrade to rustc 1.81 or newer, or use
cargo update zerofrom@0.1.6 --precise ver
where `ver` is the latest version of `zerofrom` supporting rustc 1.77.2

[helio-frota]

we need to update to rust 1.81.0 as MSRV 👍 #81

[dejanb]

@helio-frota How do we know that circular dependency is the cause of the issue? For me locally it also builds without any issues

If it is, maybe we should try to fix that. I'm also a bit wary of upgrading rust as it may affect the rest of the stack

[helio-frota]

@dejanb that circular dependency issue I saw using this branch:

➜ guac-rs git:(updates) ✗ cargo tree --depth 3 | rg "async\-nats" -B 10

from this PR #78

and then I closed the PR because the CI is not building even if we send a pull request adding a .txt file.

[helio-frota]

@dejanb now I see a different (when comparing with CI) error asking for rust 1.80.0.. but we already know CI will break if not using 1.81

error: package `native-tls v0.2.14` cannot be built because it requires rustc 1.80.0 or newer, while the currently active rustc version is 1.77.2
Either upgrade to rustc 1.80.0 or newer, or use
cargo update native-tls@0.2.14 --precise ver
where `ver` is the latest version of `native-tls` supporting rustc 1.77.2

we can reproduce with:

rustup self uninstall
git clone git@github.com:trustification/guac-rs.git
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
rustup toolchain install 1.77.2-x86_64-unknown-linux-gnu
cargo build

edit: same error #79 (comment)

[dejanb]

@helio-frota Thanks

I think we should remove dependency to trustification/export. This cli command was never used in production. Also, since we implemented S3 support into Guac directly, the exporter is not used as well.

I would move the whole code from trustification/exporter to guac-cli as a resolution to this.

We should coordinate rust version upgrade with trustification in a separate effort.