Support For Cargo Workspaces

[zicklag]

Summary

I should be able to run spdx-sbom-generator in a Cargo workspace.

Background

I've just tried out spdx-sbom-generator in my project, but it fails as follows:

➜ spdx-sbom-generator
INFO[2023-09-03T19:41:30-05:00] Starting to generate SPDX ...                
FATA[2023-09-03T19:41:31-05:00] Failed to initialize command: Failed to read root folder information. Please verify you can run `cargo pkgid`

The issue is that cargo pkgid is not applicable to a cargo workspace:

➜ cargo pkgid
error: manifest path `/home/zicklag/git/katharostech-github/chord9/Cargo.toml` is a virtual manifest, but this command requires running against an actual package in this workspace

User Story

• As a project maintainer, I want to be able to use spdx-sbom-generator in a Rust project that is made up of a Cargo workspace with multiple Rust crates in it.

Acceptance Criteria

I should be able to create a Rust workspace and run spdx-sbom-generator as follows:

mkdir example
cd example/
echo '[workspace]
members = ["crate1", "crate2"]' > Cargo.toml
cargo init --bin crate1
cargo init --bin crate2
cargo b
spdx-sbom-generator

References

• https://doc.rust-lang.org/stable/cargo/reference/workspaces.html

[nishakm]

Hi @zicklag, we're overhauling this project currently. The updated cargo parsers are here. I'm not sure if they work as you expect. Maybe @puerco can help.

[zicklag]

After doing research and evaluating my exact needs and existing tools, I think I'm going to create my own script for exporting the license notices that I need for attribution in my project, so don't worry too much about me, if you're already working on overhauling the project. :)