Broken CONTRIBUTING link for crate cargo-cyclonedx

[Olf0]

Current Behavior

"CONTRIBUTING" link is broken, because it points to https://github.com/CycloneDX/cyclonedx-rust-cargo/blob/CONTRIBUTING.md

Expected Behavior

The "CONTRIBUTING" link should point at https://github.com/CycloneDX/cyclonedx-rust-cargo/blob/main/CONTRIBUTING.md (note the added, required branch main) or even better to (jumping to the ID where the document begins) https://github.com/CycloneDX/cyclonedx-rust-cargo/blob/main/CONTRIBUTING.md#contributing

Steps To Reproduce

1. Go to: https://crates.io/crates/cargo-cyclonedx#contributing
2. Click on: CONTRIBUTING
3. See 404 error

Environment

• Browser: Firefox ESR
• OS: Ubuntu 20.04

Anything else?

Originally I intended to pose a pull request, hence I employed GitHub's code search to determine where the incorrect link is supplied from. To my surprise neither this repository or the cyclonedx-rust-cargo seems to contain this link:

1. https://github.com/search?q=repo%3Arust-lang%2Fcrates.io%20https%3A%2F%2Fgithub.com%2FCycloneDX%2Fcyclonedx-rust-cargo%2Fblob%2FCONTRIBUTING.md&type=code
2. https://github.com/search?q=repo%3ACycloneDX%2Fcyclonedx-rust-cargo%20https%3A%2F%2Fgithub.com%2FCycloneDX%2Fcyclonedx-rust-cargo%2Fblob%2FCONTRIBUTING.md&type=code

So this is either a structural (i.e. general) issue or another source is used to obtain this incorrect link.
_{Note that even searching all of GitHub for this link provides nothing relevant: https://github.com/search?q=https%3A%2F%2Fgithub.com%2FCycloneDX%2Fcyclonedx-rust-cargo%2Fblob%2FCONTRIBUTING.md&type=code}

[Turbo87]

you might want to report this at https://github.com/CycloneDX/cyclonedx-rust-cargo/issues. the project/crate is not under our control.

[Eh2406]

I don't know if there is anything we can do about it, but there is a way it's relevant to this repo.
The way the relative link in the source code https://github.com/CycloneDX/cyclonedx-rust-cargo/blob/main/README.md#contributing is converted to an absolute link upon upload to crates.io is.

[Turbo87]

oh okay, I see...

the problem is still on their side though. their readme is pointing to the contributing file in the parent folder. crates.io iirc can handle that but only if cargo generates the scm metadata file, which this crate file does not appear to contain. I guess the crate might have been released from a dirty repository state, causing the metadata to be missing.

[Olf0]

@Turbo87, as you write …

their readme is pointing to the contributing file in the parent folder. crates.io iirc can handle that but only if cargo generates the scm metadata file, which this crate file does not appear to contain.

…, can you please specify "crates.io iirc can handle that but only if cargo generates the scm metadata file" concisely.

[Turbo87]

an example of what I'm talking about is https://docs.rs/crate/serde/1.0.199/source/.cargo_vcs_info.json. this file is automatically generated by cargo when a crate is published unless there are any uncommitted changes in the git repository. in the serde case it includes the path_in_vcs key, which we use to figure out relative paths within the repository. if you check the cargo-cyclonedx crate you can see that such a file does not exist, so we can't properly generate these links.

[Olf0]

@Turbo87 and @Eh2406, I am a little bit lost here: I created a detailed bug report which describes a valid and undisputed issue. Aside of the question whose fault this is (which was solely posed by @Turbo87), this issue definitely causes a broken link to be embedded at crates.io, hence this issue does affect crates.io. Thus the dismissal "go away, file this somewhere else", immediately followed by closing this issue came a bit surprisingly.

Still, although I know almost nothing about RUST, I would like to understand what is going wrong here. Hence I performed some research to comprehend your (@Turbo87) most recent comment; I would appreciate a brief comment, if this captures correctly what you (@Turbo87) meant:

Because there is no .cargo_vcs_info.json file at https://docs.rs/crate/cargo-cyclonedx/0.5.0/source/ you suspect that cargo-package was called with the option --allow-dirty when building the crate cargo-cyclonedx.
Correct?

Unfortunately there is no call of cargo-package in cargo-cyclonedx's CI/CD configuration or anywhere else in that git repository, as a code search shows.
Edit: Ultimately I found the option --allow-dirty provided to this cargo publish call. Can you confirm my assessment that this likely is the culprit?
_{I guess I should have searched for --allow-dirty in the first place, because it reveals two hits.}

P.S.: Interestingly the LICENSE link is constructed correctly, even though it seems to be created by the same mechanism of crates.io!?!

[Turbo87]

you suspect that cargo-package was called with the option --allow-dirty

yes, either cargo package or cargo publish (which implicitly calls cargo package)

Ultimately I found the option --allow-dirty provided to this cargo publish call. Can you confirm my assessment that this likely is the culprit?

yep, that is most likely the cause of the problem

Interestingly the LICENSE link is constructed correctly, even though it seems to be created by the same mechanism of crates.io!?!

the license link is an absolute link in their README, while the contributing link is a relative one.

[Olf0]

Lastly fixed by CycloneDX/cyclonedx-rust-cargo#724