Enforce pkgid and sbom consistency

clarify fully qualified package ID usage in docs

Author: tofay

src/doc/src/reference/pkgid-spec.md

@@ -9,13 +9,19 @@ is a string which is used to uniquely refer to one package within a graph of
 packages.
 
 The specification may be fully qualified, such as
-`https://github.com/rust-lang/crates.io-index#regex@1.4.3` or it may be
+`registry+https://github.com/rust-lang/crates.io-index#regex@1.4.3` or it may be
 abbreviated, such as `regex`. The abbreviated form may be used as long as it
 uniquely identifies a single package in the dependency graph. If there is
 ambiguity, additional qualifiers can be added to make it unique. For example,
 if there are two versions of the `regex` package in the graph, then it can be
 qualified with a version to make it unique, such as `regex@1.4.3`.
 
+Fully qualified package ID specifications are output by Cargo in:
+* [cargo pkgid](../commands/cargo-pkgid.md)
+* [cargo metadata](../commands/cargo-metadata.md)
+* [compiler artifact json messages](./external-tools.md#json-messages)
+* [SBOM pre-cursor files](./unstable.md#sbom)
+
 ### Specification grammar
 
 The formal grammar for a Package Id Specification is:

src/doc/src/reference/unstable.md

@@ -480,7 +480,7 @@ that are uplifted into the target or artifact directories.
   // crate is compiled differently (different opt-level, features, etc).
   "crates": [
     {
-      // Package ID specification
+      // Fully qualified package ID specification
       "id": "path+file:///sample-package#0.1.0",
       // List of target kinds: bin, lib, rlib, dylib, cdylib, staticlib, proc-macro, example, test, bench, custom-build
       "kind": ["bin"],

tests/testsuite/pkgid.rs

@@ -1,6 +1,9 @@
 //! Tests for the `cargo pkgid` command.
 
+use std::path::PathBuf;
+
 use crate::prelude::*;
+use cargo_test_support::basic_bin_manifest;
 use cargo_test_support::basic_lib_manifest;
 use cargo_test_support::compare::assert_e2e;
 use cargo_test_support::git;
@@ -291,11 +294,12 @@ Please re-run this command with one of the following specifications:
 // * Package ID specifications
 // * machine-readable message via `--message-format=json`
 // * `cargo metadata` output
+// * SBOMs
 #[cargo_test]
 fn pkgid_json_message_metadata_consistency() {
     let p = project()
-        .file("Cargo.toml", &basic_lib_manifest("foo"))
-        .file("src/lib.rs", "fn unused() {}")
+        .file("Cargo.toml", &basic_bin_manifest("foo"))
+        .file("src/main.rs", "fn main() {}")
         .file("build.rs", "fn main() {}")
         .build();
 
@@ -321,12 +325,6 @@ fn pkgid_json_message_metadata_consistency() {
     "reason": "build-script-executed",
     "...": "{...}"
   },
-  {
-    "manifest_path": "[ROOT]/foo/Cargo.toml",
-    "package_id": "path+[ROOTURL]/foo#0.5.0",
-    "reason": "compiler-message",
-    "...": "{...}"
-  },
   {
     "manifest_path": "[ROOT]/foo/Cargo.toml",
     "package_id": "path+[ROOTURL]/foo#0.5.0",
@@ -404,4 +402,53 @@ fn pkgid_json_message_metadata_consistency() {
             .is_json(),
         )
         .run();
+
+    p.cargo("build -Zsbom")
+        .env("CARGO_BUILD_SBOM", "true")
+        .masquerade_as_nightly_cargo(&["sbom"])
+        .run();
+
+    let path = {
+        let mut path = p.bin("foo").into_os_string();
+        path.push(".cargo-sbom.json");
+        PathBuf::from(path)
+    };
+
+    assert!(path.is_file());
+    let output = std::fs::read_to_string(&path).unwrap();
+    assert_e2e().eq(
+        output,
+        snapbox::str![[r#"
+{
+  "crates": [
+    {
+      "dependencies": [
+        {
+          "index": 1,
+          "kind": "build"
+        }
+      ],
+      "features": [],
+      "id": "path+[ROOTURL]/foo#0.5.0",
+      "kind": [
+        "bin"
+      ]
+    },
+    {
+      "dependencies": [],
+      "features": [],
+      "id": "path+[ROOTURL]/foo#0.5.0",
+      "kind": [
+        "custom-build"
+      ]
+    }
+  ],
+  "root": 0,
+  "rustc": "{...}",
+  "target": "[HOST_TARGET]",
+  "version": 1
+}
+"#]]
+        .is_json(),
+    );
 }