Closed
Description
This can be reproduced by building cargo-auditable itself using cargo auditable build, and then extracting the audit data. The proc-macro2 dependency will be recorded as a runtime dependency, not a build dependency.
This happens because cargo metadata that we rely on to retrieve information about the build reports these dependencies as runtime rather than build-time.
There is nothing we can do about this on stable short of parsing the output of cargo tree, and I'm not sure I'm willing to go to such lengths.
On nightly, -Z sbom accurately reports proc macros and we don't run into that issue at all.