Clarify package ID specifications in SBOMs are fully qualified (#15731)

weihanglo · web-flow · commit 425af553261b · 2025-07-05T22:44:26.000Z
### What does this PR try to resolve? cargo-auditable 0.7.0 will use the unstable Cargo SBOM precursor files if a user configures Cargo to generate the SBOM files. cargo-auditable assumes that the package ID specifiers in Cargo SBOM files are fully qualified. We'd like to enforce this assumption in Cargo so we can keep our package ID spec parsing simpler by not considering non-fully qualified package ID specs. This PR updates the cargo docs to state where fully qualified package ID specs are used, and also adds SBOMs to the existing `cargo pkgid` test that is currently enforcing consistency between the various usages of fully qualified package id specs. Previously raised at [#t-cargo > sbom missing name, version, source @ 💬](https://rust-lang.zulipchat.com/#narrow/channel/246057-t-cargo/topic/sbom.20missing.20name.2C.20version.2C.20source/near/525443447) ### How to test and review this PR? Change doesn't affect current behaviour.
diff --git a/src/doc/src/reference/pkgid-spec.md b/src/doc/src/reference/pkgid-spec.md
@@ -9,13 +9,15 @@ is a string which is used to uniquely refer to one package within a graph of
 packages.
 
 The specification may be fully qualified, such as
-`https://github.com/rust-lang/crates.io-index#regex@1.4.3` or it may be
+`registry+https://github.com/rust-lang/crates.io-index#regex@1.4.3` or it may be
 abbreviated, such as `regex`. The abbreviated form may be used as long as it
 uniquely identifies a single package in the dependency graph. If there is
 ambiguity, additional qualifiers can be added to make it unique. For example,
 if there are two versions of the `regex` package in the graph, then it can be
 qualified with a version to make it unique, such as `regex@1.4.3`.
 
+Package ID specifications output by cargo, for example in [cargo metadata](../commands/cargo-metadata.md) output, are fully qualified.
+
 ### Specification grammar
 
 The formal grammar for a Package Id Specification is:
diff --git a/src/doc/src/reference/unstable.md b/src/doc/src/reference/unstable.md
@@ -480,7 +480,7 @@ that are uplifted into the target or artifact directories.
   // crate is compiled differently (different opt-level, features, etc).
   "crates": [
     {
-      // Package ID specification
+      // Fully qualified package ID specification
       "id": "path+file:///sample-package#0.1.0",
       // List of target kinds: bin, lib, rlib, dylib, cdylib, staticlib, proc-macro, example, test, bench, custom-build
       "kind": ["bin"],
diff --git a/tests/testsuite/pkgid.rs b/tests/testsuite/pkgid.rs
@@ -1,6 +1,9 @@
 //! Tests for the `cargo pkgid` command.
 
+use std::path::PathBuf;
+
 use crate::prelude::*;
+use cargo_test_support::basic_bin_manifest;
 use cargo_test_support::basic_lib_manifest;
 use cargo_test_support::compare::assert_e2e;
 use cargo_test_support::git;
@@ -291,11 +294,12 @@ Please re-run this command with one of the following specifications:
 // * Package ID specifications
 // * machine-readable message via `--message-format=json`
 // * `cargo metadata` output
+// * SBOMs
 #[cargo_test]
 fn pkgid_json_message_metadata_consistency() {
     let p = project()
-        .file("Cargo.toml", &basic_lib_manifest("foo"))
-        .file("src/lib.rs", "fn unused() {}")
+        .file("Cargo.toml", &basic_bin_manifest("foo"))
+        .file("src/main.rs", "fn main() {}")
         .file("build.rs", "fn main() {}")
         .build();
 
@@ -321,12 +325,6 @@ fn pkgid_json_message_metadata_consistency() {
     "reason": "build-script-executed",
     "...": "{...}"
   },
-  {
-    "manifest_path": "[ROOT]/foo/Cargo.toml",
-    "package_id": "path+[ROOTURL]/foo#0.5.0",
-    "reason": "compiler-message",
-    "...": "{...}"
-  },
   {
     "manifest_path": "[ROOT]/foo/Cargo.toml",
     "package_id": "path+[ROOTURL]/foo#0.5.0",
@@ -404,4 +402,53 @@ fn pkgid_json_message_metadata_consistency() {
             .is_json(),
         )
         .run();
+
+    p.cargo("build -Zsbom")
+        .env("CARGO_BUILD_SBOM", "true")
+        .masquerade_as_nightly_cargo(&["sbom"])
+        .run();
+
+    let path = {
+        let mut path = p.bin("foo").into_os_string();
+        path.push(".cargo-sbom.json");
+        PathBuf::from(path)
+    };
+
+    assert!(path.is_file());
+    let output = std::fs::read_to_string(&path).unwrap();
+    assert_e2e().eq(
+        output,
+        snapbox::str![[r#"
+{
+  "crates": [
+    {
+      "dependencies": [
+        {
+          "index": 1,
+          "kind": "build"
+        }
+      ],
+      "features": [],
+      "id": "path+[ROOTURL]/foo#0.5.0",
+      "kind": [
+        "bin"
+      ]
+    },
+    {
+      "dependencies": [],
+      "features": [],
+      "id": "path+[ROOTURL]/foo#0.5.0",
+      "kind": [
+        "custom-build"
+      ]
+    }
+  ],
+  "root": 0,
+  "rustc": "{...}",
+  "target": "[HOST_TARGET]",
+  "version": 1
+}
+"#]]
+        .is_json(),
+    );
 }

Original file line number	Diff line number	Diff line change
`@@ -480,7 +480,7 @@ that are uplifted into the target or artifact directories.`
`480`	`480`	`// crate is compiled differently (different opt-level, features, etc).`
`481`	`481`	`"crates": [`
`482`	`482`	`{`
`483`		`- // Package ID specification`
	`483`	`+ // Fully qualified package ID specification`
`484`	`484`	`"id": "path+file:///sample-package#0.1.0",`
`485`	`485`	`// List of target kinds: bin, lib, rlib, dylib, cdylib, staticlib, proc-macro, example, test, bench, custom-build`
`486`	`486`	`"kind": ["bin"],`