Cargo fingerprint doesn't include SBOM

[tofay]

Problem

If you do a build without setting CARGO_BUILD_SBOM=true, then do the same build except this time setting CARGO_BUILD_SBOM=true, then no SBOM is generated.

Actual behaviour

$ cargo init foo
$ cd foo
$ cargo +nightly build
...
$ CARGO_BUILD_SBOM=true cargo +nightly -Z sbom build
...
$ ls target/debug/
build  deps  examples  foo  foo.d  incremental

Expected behaviour

I expect the second build to generate an SBOM file for foo.

Steps

No response

Possible Solution(s)

No response

Notes

No response

Version

cargo 1.89.0-nightly (fc1518ef0 2025-06-06)

[tofay]

@arlosi do you know why SBOM outputs aren't included in fingerprint? Fix seems simple, tofay@97252f0, but I'm not sure of the rationale behind the existing behaviour.

[epage]

Hmm, we explicitly excluded sboms from fingerprinting. @arlosi do you remember why this was done?

[Shnatsel]

According to git blame this line has not been modified since #13709 which added the SBOM feature in the first place, and there are no mentions of fingerprint in the discussion on that PR. So no rationale was ever written down, as far as I can tell.

[Shnatsel]

In #13709 there are multiple places where the sequence FileFlavor::DebugInfo || output.flavor == FileFlavor::Auxiliary was replaced with FileFlavor::DebugInfo | FileFlavor::Auxiliary | FileFlavor::Sbom. It is possible that the change to the fingerprinting was done by mistake as part of a search-and-replace operation.