|
1 | 1 | { |
2 | | - "$schema": "http://json-schema.org/draft-07/schema#", |
3 | | - "$id": "https://rustsec.org/schemas/cargo-auditable.json", |
4 | | - "title": "cargo-auditable schema", |
5 | | - "description": "Describes the `VersionInfo` JSON data structure that cargo-auditable embeds into Rust binaries.", |
6 | | - "type": "object", |
7 | | - "required": [ |
8 | | - "packages" |
9 | | - ], |
10 | | - "properties": { |
11 | | - "packages": { |
12 | | - "type": "array", |
13 | | - "items": { |
14 | | - "$ref": "#/definitions/Package" |
| 2 | + "$schema": "http://json-schema.org/draft-07/schema#", |
| 3 | + "$id": "https://rustsec.org/schemas/cargo-auditable.json", |
| 4 | + "title": "cargo-auditable schema", |
| 5 | + "description": "Describes the `VersionInfo` JSON data structure that cargo-auditable embeds into Rust binaries.", |
| 6 | + "type": "object", |
| 7 | + "required": [ |
| 8 | + "packages" |
| 9 | + ], |
| 10 | + "properties": { |
| 11 | + "format": { |
| 12 | + "description": "Format revision of the audit data.\n\nFormat revisions are **backwards compatible.** If an unknown format is encountered, it should be treated as the highest known preceding format. For example, if formats `0`, `1` and `8` are known, format `4` should be treated as if it's `1`.\n\n## Known formats\n\n### 0 (or the field is absent)\n\nGenerated based on the data provided by [`cargo metadata`](https://doc.rust-lang.org/cargo/commands/cargo-metadata.html).\n\nThere are multiple [known](https://github.com/rust-lang/cargo/issues/7754) [issues](https://github.com/rust-lang/cargo/issues/10718) with this data source, leading to the audit data sometimes including more dependencies than are really used in the build.\n\nHowever, is the only machine-readable data source available on stable Rust as of v1.88.\n\nAdditionally, this format incorrectly includes [procedural macros](https://doc.rust-lang.org/reference/procedural-macros.html) and their dependencies as runtime dependencies while in reality they are build-time dependencies.\n\n### 1\n\nSame as 0, but correctly records proc-macros and their dependencies as build-time dependencies.\n\nMay still include slightly more dependencies than are actually used, especially in workspaces.\n\n### 8\n\nGenerated using Cargo's [SBOM precursor](https://doc.rust-lang.org/cargo/reference/unstable.html#sbom) as the data source.\n\nThis data is highly accurate, but as of Rust v1.88 can only be generated using a nightly build of Cargo.", |
| 13 | + "type": "integer", |
| 14 | + "format": "uint32", |
| 15 | + "minimum": 0.0 |
| 16 | + }, |
| 17 | + "packages": { |
| 18 | + "type": "array", |
| 19 | + "items": { |
| 20 | + "$ref": "#/definitions/Package" |
| 21 | + } |
| 22 | + } |
| 23 | + }, |
| 24 | + "definitions": { |
| 25 | + "DependencyKind": { |
| 26 | + "type": "string", |
| 27 | + "enum": [ |
| 28 | + "build", |
| 29 | + "runtime" |
| 30 | + ] |
| 31 | + }, |
| 32 | + "Package": { |
| 33 | + "description": "A single package in the dependency tree", |
| 34 | + "type": "object", |
| 35 | + "required": [ |
| 36 | + "name", |
| 37 | + "source", |
| 38 | + "version" |
| 39 | + ], |
| 40 | + "properties": { |
| 41 | + "dependencies": { |
| 42 | + "description": "Packages are stored in an ordered array both in the `VersionInfo` struct and in JSON. Here we refer to each package by its index in the array. May be omitted if the list is empty.", |
| 43 | + "type": "array", |
| 44 | + "items": { |
| 45 | + "type": "integer", |
| 46 | + "format": "uint", |
| 47 | + "minimum": 0.0 |
| 48 | + } |
| 49 | + }, |
| 50 | + "kind": { |
| 51 | + "description": "\"build\" or \"runtime\". May be omitted if set to \"runtime\". If it's both a build and a runtime dependency, \"runtime\" is recorded.", |
| 52 | + "allOf": [ |
| 53 | + { |
| 54 | + "$ref": "#/definitions/DependencyKind" |
| 55 | + } |
| 56 | + ] |
| 57 | + }, |
| 58 | + "name": { |
| 59 | + "description": "Crate name specified in the `name` field in Cargo.toml file. Examples: \"libc\", \"rand\"", |
| 60 | + "type": "string" |
| 61 | + }, |
| 62 | + "root": { |
| 63 | + "description": "Whether this is the root package in the dependency tree. There should only be one root package. May be omitted if set to `false`.", |
| 64 | + "type": "boolean" |
| 65 | + }, |
| 66 | + "source": { |
| 67 | + "description": "Currently \"git\", \"local\", \"crates.io\" or \"registry\". Designed to be extensible with other revision control systems, etc.", |
| 68 | + "allOf": [ |
| 69 | + { |
| 70 | + "$ref": "#/definitions/Source" |
15 | 71 | } |
| 72 | + ] |
| 73 | + }, |
| 74 | + "version": { |
| 75 | + "description": "The package's version in the [semantic version](https://semver.org) format.", |
| 76 | + "type": "string" |
16 | 77 | } |
| 78 | + } |
17 | 79 | }, |
18 | | - "definitions": { |
19 | | - "DependencyKind": { |
20 | | - "type": "string", |
21 | | - "enum": [ |
22 | | - "build", |
23 | | - "runtime" |
24 | | - ] |
| 80 | + "Source": { |
| 81 | + "description": "Serializes to \"git\", \"local\", \"crates.io\" or \"registry\". Designed to be extensible with other revision control systems, etc.", |
| 82 | + "oneOf": [ |
| 83 | + { |
| 84 | + "type": "string", |
| 85 | + "enum": [ |
| 86 | + "CratesIo", |
| 87 | + "Git", |
| 88 | + "Local", |
| 89 | + "Registry" |
| 90 | + ] |
25 | 91 | }, |
26 | | - "Package": { |
27 | | - "description": "A single package in the dependency tree", |
28 | | - "type": "object", |
29 | | - "required": [ |
30 | | - "name", |
31 | | - "source", |
32 | | - "version" |
33 | | - ], |
34 | | - "properties": { |
35 | | - "dependencies": { |
36 | | - "description": "Packages are stored in an ordered array both in the `VersionInfo` struct and in JSON. Here we refer to each package by its index in the array. May be omitted if the list is empty.", |
37 | | - "type": "array", |
38 | | - "items": { |
39 | | - "type": "integer", |
40 | | - "format": "uint", |
41 | | - "minimum": 0.0 |
42 | | - } |
43 | | - }, |
44 | | - "kind": { |
45 | | - "description": "\"build\" or \"runtime\". May be omitted if set to \"runtime\". If it's both a build and a runtime dependency, \"runtime\" is recorded.", |
46 | | - "allOf": [ |
47 | | - { |
48 | | - "$ref": "#/definitions/DependencyKind" |
49 | | - } |
50 | | - ] |
51 | | - }, |
52 | | - "name": { |
53 | | - "description": "Crate name specified in the `name` field in Cargo.toml file. Examples: \"libc\", \"rand\"", |
54 | | - "type": "string" |
55 | | - }, |
56 | | - "root": { |
57 | | - "description": "Whether this is the root package in the dependency tree. There should only be one root package. May be omitted if set to `false`.", |
58 | | - "type": "boolean" |
59 | | - }, |
60 | | - "source": { |
61 | | - "description": "Currently \"git\", \"local\", \"crates.io\" or \"registry\". Designed to be extensible with other revision control systems, etc.", |
62 | | - "allOf": [ |
63 | | - { |
64 | | - "$ref": "#/definitions/Source" |
65 | | - } |
66 | | - ] |
67 | | - }, |
68 | | - "version": { |
69 | | - "description": "The package's version in the [semantic version](https://semver.org) format.", |
70 | | - "type": "string" |
71 | | - } |
| 92 | + { |
| 93 | + "type": "object", |
| 94 | + "required": [ |
| 95 | + "Other" |
| 96 | + ], |
| 97 | + "properties": { |
| 98 | + "Other": { |
| 99 | + "type": "string" |
72 | 100 | } |
73 | | - }, |
74 | | - "Source": { |
75 | | - "description": "Serializes to \"git\", \"local\", \"crates.io\" or \"registry\". Designed to be extensible with other revision control systems, etc.", |
76 | | - "oneOf": [ |
77 | | - { |
78 | | - "type": "string", |
79 | | - "enum": [ |
80 | | - "CratesIo", |
81 | | - "Git", |
82 | | - "Local", |
83 | | - "Registry" |
84 | | - ] |
85 | | - }, |
86 | | - { |
87 | | - "type": "object", |
88 | | - "required": [ |
89 | | - "Other" |
90 | | - ], |
91 | | - "properties": { |
92 | | - "Other": { |
93 | | - "type": "string" |
94 | | - } |
95 | | - }, |
96 | | - "additionalProperties": false |
97 | | - } |
98 | | - ] |
| 101 | + }, |
| 102 | + "additionalProperties": false |
99 | 103 | } |
| 104 | + ] |
100 | 105 | } |
| 106 | + } |
101 | 107 | } |
0 commit comments