Cargo has made it possible to depend on the same version of a given crate with different feature sets, provided that one version is a runtime dependency and another is a build dependency.

cargo metadata does not support this. We use it as our data source, so we may sometimes erroneously report certain build-only dependencies as runtime dependencies.

This would be automatically fixed with a better data source, if Cargo emitted SBOM information directly: rust-lang/rfcs#3553

Until then it might be possible to work around the limitations of cargo metadata using the krates crate: EmbarkStudios/krates#91