Additional 1.85.0 fixup (#746)

This fixes an issue where crate sources were not being correctly
determined as crates.io when using cargo 1.85.0 due to the change in how
directory names are calculated, which would cause eg. workspace
dependency checks to fail.

The advisory databases no longer use tame_index to perform the directory
naming as it doesn't really make sense in the first place, so now it
just uses a similar method, but using xxhash instead which gives the
same properties as the cargo 1.85.0 change, namely that the hash is the
same for the same url regardless of the host platform
(endianness/pointer width/arch). It also now uses the last path
component as the start of the name which is a much nicer way to name the
directory.

This also updates to the rust-version to 1.85.0 and moves to edition
2024.

Author: Jake-Shadle

.github/workflows/ci.yaml

@@ -48,7 +48,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@master
         with:
-          toolchain: 1.81.0
+          toolchain: 1.85.0
           components: "clippy"
       - run: cargo fetch
       - name: cargo clippy

.gitmodules

@@ -1,6 +1,6 @@
-[submodule "tests/advisory-db/github.com-c046ebb82572a8ef"]
-	path = tests/advisory-db/github.com-c046ebb82572a8ef
+[submodule "tests/advisory-db/test-advisory-db-c27873b782cceedc"]
+	path = tests/advisory-db/test-advisory-db-c27873b782cceedc
 	url = https://github.com/EmbarkStudios/test-advisory-db
-[submodule "tests/advisory-db/github.com-9b36585d9d99f7b3"]
-	path = tests/advisory-db/github.com-9b36585d9d99f7b3
+[submodule "tests/advisory-db/advisory-db-3157b0e258782691"]
+	path = tests/advisory-db/advisory-db-3157b0e258782691
 	url = https://github.com/rustsec/advisory-db

CHANGELOG.md

@@ -8,6 +8,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- next-header -->
 ## [Unreleased] - ReleaseDate
+### Changed
+- [PR#746](https://github.com/EmbarkStudios/cargo-deny/pull/746) changed the directory naming of advisory databases, [again](https://github.com/EmbarkStudios/cargo-deny/pull/745), so the name uses the last path component and a different, but also stable, hashing algorithm. Eg. the default `https://github.com/rustsec/advisory-db` will now be placed in `$CARGO_HOME/advisory-dbs/advisory-db-3157b0e258782691`.
+- [PR#746](https://github.com/EmbarkStudios/cargo-deny/pull/746) changed the MSRV to 1.85.0 and uses edition 2024.
+
+### Fixed
+- [PR#746](https://github.com/EmbarkStudios/cargo-deny/pull/746) fixes an issue when using cargo 1.85.0 where source urls were not being properly assigned to crates.io due to the constant being used no longer matching the new path used in cargo 1.85.0 causing eg. workspace dependency checks to fail.
+
 ## [0.17.0] - 2025-02-20
 ### Changed
 - [PR#745](https://github.com/EmbarkStudios/cargo-deny/pull/745) updated `tame-index` to [0.18.0](https://github.com/EmbarkStudios/tame-index/releases/tag/0.18.0) so that cargo 1.85.0 is transparently supported along with older cargo versions.

Cargo.lock

@@ -7,15 +7,15 @@ authors = [
   "Embark <opensource@embark-studios.com>",
   "Jake Shadle <jake.shadle@embark-studios.com>",
 ]
-edition = "2021"
+edition = "2024"
 license = "MIT OR Apache-2.0"
 readme = "README.md"
 documentation = "https://docs.rs/cargo-deny"
 homepage = "https://github.com/EmbarkStudios/cargo-deny"
 categories = ["development-tools::cargo-plugins"]
 keywords = ["cargo", "license", "spdx", "ci", "advisories"]
 exclude = ["docs/", "examples/", ".github/", "tests"]
-rust-version = "1.81.0"
+rust-version = "1.85.0"
 
 [badges]
 maintenance = { status = "actively-developed" }
@@ -50,7 +50,7 @@ askalono = { version = "0.5", default-features = false }
 bitvec = { version = "1.0", features = ["alloc"] }
 # Much nicer paths
 camino = "1.1"
-cfg-expr = "0.17"
+cfg-expr = "0.18"
 # Allows us to do eg cargo metadata operations without relying on an external cargo
 #cargo = { version = "0.71", optional = true }
 # Argument parsing, kept aligned with cargo
@@ -77,7 +77,7 @@ goblin = { version = "0.9", default-features = false, features = [
 # We need to figure out HOME/CARGO_HOME in some cases
 home = "0.5"
 # Provides graphs on top of cargo_metadata
-krates = { version = "0.17", features = ["targets"] }
+krates = { version = "0.18", features = ["targets"] }
 # Log macros
 log = "0.4"
 # Faster char searching

Cargo.toml

@@ -1,4 +1,4 @@
-msrv = "1.84.1"
+msrv = "1.85.0"
 
 disallowed-types = [
     { path = "std::sync::Mutex", reason = "Use the faster & simpler non-poisonable primitives in `parking_lot` instead" },

clippy.toml

@@ -56,22 +56,8 @@ allow = [
 exceptions = [
     # Use exceptions for these as they only have a single user
     { allow = ["Zlib"], crate = "tinyvec" },
-    { allow = ["OpenSSL"], crate = "ring" },
 ]
 
-# Sigh
-[[licenses.clarify]]
-crate = "ring"
-# SPDX considers OpenSSL to encompass both the OpenSSL and SSLeay licenses
-# https://spdx.org/licenses/OpenSSL.html
-# ISC - Both BoringSSL and ring use this for their new files
-# MIT - "Files in third_party/ have their own licenses, as described therein. The MIT
-# license, for third_party/fiat, which, unlike other third_party directories, is
-# compiled into non-test libraries, is included below."
-# OpenSSL - Obviously
-expression = "ISC AND MIT AND OpenSSL"
-license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]
-
 [[licenses.clarify]]
 crate = "webpki"
 expression = "ISC"

deny.toml

@@ -2,7 +2,7 @@ pub mod cfg;
 pub(crate) mod diags;
 mod helpers;
 
-use crate::{diag, LintLevel};
+use crate::{LintLevel, diag};
 pub use diags::Code;
 pub use helpers::{
     db::{AdvisoryDb, DbSet, Fetch, Id, Report},

src/advisories.rs

@@ -1,12 +1,13 @@
 use crate::{
+    LintLevel, PathBuf, Span, Spanned,
     cfg::{PackageSpecOrExtended, Reason, ValidationContext},
     diag::{Diagnostic, FileId, Label},
-    utf8path, LintLevel, PathBuf, Span, Spanned,
+    utf8path,
 };
 use anyhow::Context as _;
 use rustsec::advisory;
 use time::Duration;
-use toml_span::{de_helpers::*, value::ValueInner, Deserialize, Value};
+use toml_span::{Deserialize, Value, de_helpers::*, value::ValueInner};
 use url::Url;
 
 pub(crate) type AdvisoryId = Spanned<advisory::Id>;
@@ -465,7 +466,9 @@ fn parse_rfc3339_duration(value: &str) -> anyhow::Result<Duration> {
     // of the function
     for c in value.chars() {
         if c == ',' {
-            anyhow::bail!("'{c}' is valid in the RFC-3339 duration format but not supported by this implementation, use '.' instead");
+            anyhow::bail!(
+                "'{c}' is valid in the RFC-3339 duration format but not supported by this implementation, use '.' instead"
+            );
         }
 
         if c != '.' && c != 'T' && !c.is_ascii_digit() && !UNITS.iter().any(|(uc, _)| c == *uc) {
@@ -720,7 +723,7 @@ fn shellexpand(
 mod test {
 
     use super::{parse_rfc3339_duration as dur_parse, *};
-    use crate::test_utils::{write_diagnostics, ConfigData};
+    use crate::test_utils::{ConfigData, write_diagnostics};
 
     struct Advisories {
         advisories: Config,

src/advisories/cfg.rs

@@ -1,7 +1,7 @@
 use super::cfg::IgnoreId;
 use crate::{
-    diag::{Check, Diagnostic, FileId, Label, Pack, Severity},
     LintLevel,
+    diag::{Check, Diagnostic, FileId, Label, Pack, Severity},
 };
 use rustsec::advisory::{Informational, Metadata, Versions};
 
@@ -160,11 +160,13 @@ impl crate::CheckCtx<'_, super::cfg::ValidConfig> {
         let diag = pack.push(
             Diagnostic::new(severity)
                 .with_message(advisory.title.clone())
-                .with_labels(vec![Label::primary(
-                    self.krate_spans.lock_id,
-                    self.krate_spans.lock_span(&krate.id).total,
-                )
-                .with_message(message)])
+                .with_labels(vec![
+                    Label::primary(
+                        self.krate_spans.lock_id,
+                        self.krate_spans.lock_span(&krate.id).total,
+                    )
+                    .with_message(message),
+                ])
                 .with_code(code)
                 .with_notes(notes),
         );
@@ -185,11 +187,13 @@ impl crate::CheckCtx<'_, super::cfg::ValidConfig> {
                     krate.name
                 ))
                 .with_code(Code::Yanked)
-                .with_labels(vec![Label::primary(
-                    self.krate_spans.lock_id,
-                    self.krate_spans.lock_span(&krate.id).total,
-                )
-                .with_message("yanked version")]),
+                .with_labels(vec![
+                    Label::primary(
+                        self.krate_spans.lock_id,
+                        self.krate_spans.lock_span(&krate.id).total,
+                    )
+                    .with_message("yanked version"),
+                ]),
         );
 
         pack
@@ -212,11 +216,13 @@ impl crate::CheckCtx<'_, super::cfg::ValidConfig> {
         krate: &crate::Krate,
         error: D,
     ) -> Pack {
-        let mut labels = vec![Label::secondary(
-            self.krate_spans.lock_id,
-            self.krate_spans.lock_span(&krate.id).total,
-        )
-        .with_message("crate whose registry we failed to query")];
+        let mut labels = vec![
+            Label::secondary(
+                self.krate_spans.lock_id,
+                self.krate_spans.lock_span(&krate.id).total,
+            )
+            .with_message("crate whose registry we failed to query"),
+        ];
 
         // Don't show the config location if it's the default, since it just points
         // to the beginning and confuses users