Update gix/codespan-reporting

Cargo.toml

@@ -56,8 +56,8 @@ cfg-expr = "0.20"
 # Argument parsing, kept aligned with cargo
 clap = { version = "4.5", features = ["derive", "env"] }
 # Used for diagnostic reporting
-codespan = { version = "0.12", features = ["serialization"] }
-codespan-reporting = { version = "0.12", features = ["serialization"] }
+codespan = { version = "0.13", features = ["serialization"] }
+codespan-reporting = { version = "0.13", features = ["serialization"] }
 # Brrrrr
 crossbeam = "0.8"
 # Logging utilities
@@ -107,7 +107,7 @@ spdx = "0.12"
 # Lazy
 strum = { version = "0.27", features = ["derive"] }
 # Index retrieval and querying
-tame-index = { version = "0.23", default-features = false, features = [
+tame-index = { version = "0.24", default-features = false, features = [
   "git",
   "local",
   "sparse",
@@ -118,7 +118,7 @@ time = { version = "0.3", default-features = false, features = [
   "macros",
 ] }
 # Deserialization of configuration files and crate manifests
-toml-span = { version = "0.5", features = ["reporting"] }
+toml-span = { version = "0.6", features = ["reporting"] }
 # Small fast hash crate
 twox-hash = { version = "2.1", default-features = false, features = ["xxhash32"] }
 # Url parsing/manipulation
@@ -128,7 +128,7 @@ walkdir = "2.3"
 
 # We clone/fetch advisory databases
 [dependencies.gix]
-version = "0.73"
+version = "0.74"
 default-features = false
 features = [
   "blocking-http-transport-reqwest",
@@ -142,9 +142,9 @@ features = [
 fs_extra = "1.3"
 # Snapshot testing
 insta = { version = "1.43", features = ["json"] }
-tame-index = { version = "0.23", features = ["local-builder"] }
+tame-index = { version = "0.24", features = ["local-builder"] }
 time = { version = "0.3", features = ["serde"] }
-toml-span = { version = "0.5", features = ["serde"] }
+toml-span = { version = "0.6", features = ["serde"] }
 # We use this for creating fake crate directories for crawling license files on disk
 tempfile = "3.17"
 # divan = "0.1"

deny.toml

@@ -29,7 +29,8 @@ deny = [
 skip = [
     { crate = "[email protected]", reason = "reqwest -> system-configuration uses this old version" },
     { crate = "[email protected]", reason = "ring uses this old version" },
-    { crate = "[email protected]", reason = "gix uses this old version" },
+    { crate = "[email protected]", reason = "petgraph uses this old version" },
+    { crate = "[email protected]", reason = "hashbrown 0.15 uses this old version" },
 ]
 skip-tree = [
     { crate = "windows-sys", reason = "a foundational crate for many that bumps far too frequently to ever have a shared version" },

examples/09_bans/deny.toml

@@ -1,7 +1,8 @@
+[graph]
 targets = [
-    { triple = "x86_64-unknown-linux-musl" },
-    { triple = "x86_64-pc-windows-msvc" },
-    { triple = "x86_64-apple-darwin" },
+    "x86_64-unknown-linux-musl",
+    "x86_64-pc-windows-msvc",
+    "x86_64-apple-darwin",
 ]
 
 [bans]

src/advisories/helpers/db.rs

@@ -331,7 +331,7 @@ fn fetch_and_checkout(repo: &mut gix::Repository) -> anyhow::Result<()> {
         .context("unable to checkout, repository is bare")?;
     let root_tree = repo
         .head()?
-        .try_peel_to_id_in_place()?
+        .try_peel_to_id()?
         .context("unable to peel HEAD")?
         .object()
         .context("HEAD commit not downloaded from remote")?

src/cargo-deny/common.rs

@@ -410,7 +410,7 @@ impl OutputLock<'_, '_> {
                     return;
                 }
 
-                let _ = term::emit(l, &cfg.config, files, &diag);
+                let _ = term::emit_to_write_style(l, &cfg.config, files, &diag);
             }
             Self::Json(_cfg, max, w) => {
                 if diag.severity < *max {
@@ -464,7 +464,7 @@ impl OutputLock<'_, '_> {
                         }
                     }
 
-                    let _ = term::emit(l, &cfg.config, files, &diag.diag);
+                    let _ = term::emit_to_write_style(l, &cfg.config, files, &diag.diag);
                 }
             }
             Self::Json(cfg, max, w) => {

src/diag.rs

@@ -732,7 +732,8 @@ lines
         }
 
         for diag in diags {
-            codespan_reporting::term::emit(&mut term, &config, &files, &diag).unwrap();
+            codespan_reporting::term::emit_to_write_style(&mut term, &config, &files, &diag)
+                .unwrap();
         }
 
         insta::assert_snapshot!(String::from_utf8(term.into_inner()).unwrap());

src/sarif/collector.rs

@@ -268,7 +268,10 @@ impl SarifCollector {
         SarifLog {
             runs: vec![Run {
                 tool: Tool {
-                    driver: Driver { rules },
+                    driver: Driver {
+                        rules,
+                        version: None,
+                    },
                 },
                 results,
             }],

src/sarif/model.rs

@@ -35,6 +35,7 @@ pub struct Tool {
 
 pub struct Driver {
     pub rules: Vec<Rule>,
+    pub version: Option<semver::Version>,
 }
 
 impl Serialize for Driver {
@@ -44,8 +45,13 @@ impl Serialize for Driver {
     {
         let mut m = serializer.serialize_map(Some(4))?;
         m.serialize_entry("name", "cargo-deny")?;
-        m.serialize_entry("version", env!("CARGO_PKG_VERSION"))?;
-        m.serialize_entry("semanticVersion", env!("CARGO_PKG_VERSION"))?;
+        if let Some(v) = &self.version {
+            m.serialize_entry("version", &v)?;
+            m.serialize_entry("semanticVersion", &v)?;
+        } else {
+            m.serialize_entry("version", env!("CARGO_PKG_VERSION"))?;
+            m.serialize_entry("semanticVersion", env!("CARGO_PKG_VERSION"))?;
+        }
         m.serialize_entry("rules", &self.rules)?;
         m.end()
     }

src/test_utils.rs

@@ -203,7 +203,7 @@ pub(crate) fn write_diagnostics(
     let config = crate::diag::codespan_config();
 
     for diag in errors {
-        codespan_reporting::term::emit(&mut s, &config, files, &diag).unwrap();
+        codespan_reporting::term::emit_to_write_style(&mut s, &config, files, &diag).unwrap();
     }
 
     String::from_utf8(s.into_inner()).unwrap()

tests/sarif.rs

@@ -78,6 +78,10 @@ where
         }
     }
 
+    // Use a single version in tests so we don't have to bump snapshots every time
+    // we bump versions
+    sl.runs[0].tool.driver.version = Some(semver::Version::new(9, 9, 9));
+
     serde_json::to_value(sl).expect("failed to serialize Sarif results")
 }
 

tests/snapshots/sarif__sarif_advisories.snap

@@ -424,8 +424,8 @@ expression: s
               }
             }
           ],
-          "semanticVersion": "0.18.4",
-          "version": "0.18.4"
+          "semanticVersion": "9.9.9",
+          "version": "9.9.9"
         }
       }
     }

tests/snapshots/sarif__sarif_bans.snap

@@ -380,8 +380,8 @@ expression: s
               }
             }
           ],
-          "semanticVersion": "0.18.4",
-          "version": "0.18.4"
+          "semanticVersion": "9.9.9",
+          "version": "9.9.9"
         }
       }
     }

tests/snapshots/sarif__sarif_licenses.snap

@@ -172,8 +172,8 @@ expression: s
               }
             }
           ],
-          "semanticVersion": "0.18.4",
-          "version": "0.18.4"
+          "semanticVersion": "9.9.9",
+          "version": "9.9.9"
         }
       }
     }

tests/snapshots/sarif__sarif_sources.snap

@@ -102,8 +102,8 @@ expression: s
               }
             }
           ],
-          "semanticVersion": "0.18.4",
-          "version": "0.18.4"
+          "semanticVersion": "9.9.9",
+          "version": "9.9.9"
         }
       }
     }