1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
diff --git a/cargo-auditable.schema.json b/cargo-auditable.schema.json
new file mode 100644
index 0000000..ec45e3a
--- /dev/null
+++ b/cargo-auditable.schema.json
@@ -0,0 +1,107 @@
+{
+ "$schema": "http://json-schema.org/draft-07/schema#",
+ "$id": "https://rustsec.org/schemas/cargo-auditable.json",
+ "title": "cargo-auditable schema",
+ "description": "Describes the `VersionInfo` JSON data structure that cargo-auditable embeds into Rust binaries.",
+ "type": "object",
+ "required": [
+ "packages"
+ ],
+ "properties": {
+ "format": {
+ "description": "Format revision. Identifies the data source for the audit data.\n\nFormat revisions are **backwards compatible.** If an unknown format is encountered, it should be treated as the highest known preceding format. For example, if formats `0`, `1` and `8` are known, format `4` should be treated as if it's `1`.\n\n# Known formats\n\n## 0 (or the field is absent)\n\nGenerated based on the data provided by [`cargo metadata`](https://doc.rust-lang.org/cargo/commands/cargo-metadata.html).\n\nThere are multiple [known](https://github.com/rust-lang/cargo/issues/7754) [issues](https://github.com/rust-lang/cargo/issues/10718) with this data source, leading to the audit data sometimes including more dependencies than are really used in the build.\n\nHowever, is the only machine-readable data source available on stable Rust as of v1.88.\n\nAdditionally, this format incorrectly includes [procedural macros](https://doc.rust-lang.org/reference/procedural-macros.html) and their dependencies as runtime dependencies while in reality they are build-time dependencies.\n\n## 1\n\nSame as 0, but correctly records proc-macros and their dependencies as build-time dependencies.\n\nMay still include slightly more dependencies than are actually used, especially in workspaces.\n\n## 8\n\nGenerated using Cargo's [SBOM precursor](https://doc.rust-lang.org/cargo/reference/unstable.html#sbom) as the data source.\n\nThis data is highly accurate, but as of Rust v1.88 can only be generated using a nightly build of Cargo.",
+ "type": "integer",
+ "format": "uint32",
+ "minimum": 0.0
+ },
+ "packages": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/Package"
+ }
+ }
+ },
+ "definitions": {
+ "DependencyKind": {
+ "type": "string",
+ "enum": [
+ "build",
+ "runtime"
+ ]
+ },
+ "Package": {
+ "description": "A single package in the dependency tree",
+ "type": "object",
+ "required": [
+ "name",
+ "source",
+ "version"
+ ],
+ "properties": {
+ "dependencies": {
+ "description": "Packages are stored in an ordered array both in the `VersionInfo` struct and in JSON. Here we refer to each package by its index in the array. May be omitted if the list is empty.",
+ "type": "array",
+ "items": {
+ "type": "integer",
+ "format": "uint",
+ "minimum": 0.0
+ }
+ },
+ "kind": {
+ "description": "\"build\" or \"runtime\". May be omitted if set to \"runtime\". If it's both a build and a runtime dependency, \"runtime\" is recorded.",
+ "allOf": [
+ {
+ "$ref": "#/definitions/DependencyKind"
+ }
+ ]
+ },
+ "name": {
+ "description": "Crate name specified in the `name` field in Cargo.toml file. Examples: \"libc\", \"rand\"",
+ "type": "string"
+ },
+ "root": {
+ "description": "Whether this is the root package in the dependency tree. There should only be one root package. May be omitted if set to `false`.",
+ "type": "boolean"
+ },
+ "source": {
+ "description": "Currently \"git\", \"local\", \"crates.io\" or \"registry\". Designed to be extensible with other revision control systems, etc.",
+ "allOf": [
+ {
+ "$ref": "#/definitions/Source"
+ }
+ ]
+ },
+ "version": {
+ "description": "The package's version in the [semantic version](https://semver.org) format.",
+ "type": "string"
+ }
+ }
+ },
+ "Source": {
+ "description": "Serializes to \"git\", \"local\", \"crates.io\" or \"registry\". Designed to be extensible with other revision control systems, etc.",
+ "oneOf": [
+ {
+ "type": "string",
+ "enum": [
+ "CratesIo",
+ "Git",
+ "Local",
+ "Registry"
+ ]
+ },
+ {
+ "type": "object",
+ "required": [
+ "Other"
+ ],
+ "properties": {
+ "Other": {
+ "type": "string"
+ }
+ },
+ "additionalProperties": false
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/lib.rs b/src/lib.rs
index 1b0adc2..06fca94 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -207,8 +207,6 @@ mod tests {
let contents = fs::read_to_string(
// `CARGO_MANIFEST_DIR` env is path to dir containing auditable-serde's Cargo.toml
PathBuf::from(env!("CARGO_MANIFEST_DIR"))
- .parent()
- .unwrap()
.join("cargo-auditable.schema.json"),
)
.expect("error reading existing schema");
|
