bomdrift 0.9.9

SBOM diff with supply-chain risk signals (CVEs, typosquats, maintainer-age).
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102

[package]
name = "bomdrift"
version = "0.9.9"
edition = "2024"
rust-version = "1.88"
description = "SBOM diff with supply-chain risk signals (CVEs, typosquats, maintainer-age)."
license = "Apache-2.0"
repository = "https://github.com/Metbcy/bomdrift"
homepage = "https://metbcy.github.io/bomdrift/"
documentation = "https://docs.rs/bomdrift"
readme = "README.md"
keywords = ["sbom", "security", "supply-chain", "cyclonedx", "spdx"]
categories = ["command-line-utilities", "development-tools"]
# Trim the published crate to source + runtime data + project meta.
# - tests/ (2.7 MB of fixtures): fixtures pulled from upstream projects;
#   downstream `cargo install` users don't run `cargo test`.
# - docs/ (2.6 MB mdbook source): published separately at
#   https://metbcy.github.io/bomdrift/.
# - examples/, benches/, fuzz/: not needed for `cargo install`.
# - comment-suppress/, action.yml, entrypoint.sh: GitHub Action
#   surface, distributed via the Marketplace and cosign-signed
#   release archives, not the crate.
# - .github/, scripts/: repo-only meta.
# - data/ stays IN — `src/enrich/typosquat.rs` `include_str!`s its
#   contents at build time.
exclude = [
  "tests/",
  "docs/",
  "examples/",
  "benches/",
  "fuzz/",
  "comment-suppress/",
  "scripts/",
  ".github/",
  "action.yml",
  "entrypoint.sh",
  "STATUS.md",
  "CODE_OF_CONDUCT.md",
  "CONTRIBUTING.md",
]

[package.metadata.docs.rs]
# Make every conditionally compiled item visible in the rendered docs
# (no-op today since bomdrift has no `[features]` block, but
# future-proofs the feature-flag story).
all-features = true
rustdoc-args = ["--cfg", "docsrs"]

[lib]
name = "bomdrift"
path = "src/lib.rs"

[[bin]]
name = "bomdrift"
path = "src/main.rs"

[dependencies]
clap = { version = "4.5", features = ["derive"] }
serde = { version = "1", features = ["derive"] }
serde_json = "1"
anyhow = "1"
thiserror = "2"
ureq = { version = "2", features = ["json"] }
strsim = "0.11"
owo-colors = { version = "4", features = ["supports-colors"] }
supports-color = "3"
directories = "6"
toml = "0.8"
time = { version = "0.3", default-features = false, features = ["serde", "parsing", "formatting", "macros", "std"] }
sha2 = { version = "0.10", default-features = false }
# Exact-pinned: SPDX list updates can shift LicenseId.is_gnu() / is_osi_approved membership and silently change license-policy semantics. Bump deliberately.
spdx = { version = "=0.10.9", default-features = false }
base64 = { version = "0.22", default-features = false, features = ["std"] }
# Robust child-process timeout. Tiny single-purpose crate (~50kb, no
# transitives). Used by src/plugin.rs to replace a hand-rolled polling
# loop with a proper Windows-aware wait_timeout call. v0.9.7+.
wait-timeout = "0.2"

[dev-dependencies]
criterion = { version = "0.5", default-features = false, features = ["html_reports"] }
proptest = "1"

[[bench]]
name = "parse"
harness = false

[[bench]]
name = "diff"
harness = false

[[bench]]
name = "typosquat"
harness = false

[[bench]]
name = "render"
harness = false

[profile.release]
strip = true
lto = "thin"
codegen-units = 1