This line relies on the source field from cargo metadata output:
|
if let Some(source) = &package.source { |
This field is explicitly documented as opaque in https://doc.rust-lang.org/cargo/commands/cargo-metadata.html
It hasn't been changed yet but we do rely on parsing it and it's a future compatibility hazard.
Since this code was written the representation of the id field was changed and stabilized. We should check if the ID is the new format and if it is, extract the necessary data from it, otherwise fall back to source for old cargo versions that don't have the new id format but do have the known source representation that can't change retroactively.
This line relies on the
sourcefield fromcargo metadataoutput:cyclonedx-rust-cargo/cargo-cyclonedx/src/purl.rs
Line 17 in 22cac58
This field is explicitly documented as opaque in https://doc.rust-lang.org/cargo/commands/cargo-metadata.html
It hasn't been changed yet but we do rely on parsing it and it's a future compatibility hazard.
Since this code was written the representation of the
idfield was changed and stabilized. We should check if the ID is the new format and if it is, extract the necessary data from it, otherwise fall back tosourcefor old cargo versions that don't have the newidformat but do have the knownsourcerepresentation that can't change retroactively.