Run cargo update on the runtime lockfiles and the SDK lockfile (#4562)

In addition to updating lockfiles, this PR updates `sdk-lockfiles` tool
to
1. renew the contents of `false-positives.txt`
2. update audit error message so it displays which crate uses the
offending dependency

For 1, `chacha20` is flagged as not contained in SDK lockfile. Running
`cargo tree -i chacha20` in `smithy-rs/rust-runtime` gives
```
chacha20 v0.10.0
└── rand v0.10.0
    └── uuid v1.22.0
        ├── aws-smithy-http-server v0.66.3 (/Users/awsaito/src/smithy-rs/rust-runtime/aws-smithy-http-server)
        │   └── aws-smithy-http-server-metrics v0.1.2 (/Users/awsaito/src/smithy-rs/rust-runtime/aws-smithy-http-server-metrics)
        └── cbor-diag v0.1.12
            └── aws-smithy-protocol-test v0.63.14 (/Users/awsaito/src/smithy-rs/rust-runtime/aws-smithy-protocol-test)
                └── aws-smithy-http-client v1.1.12 (/Users/awsaito/src/smithy-rs/rust-runtime/aws-smithy-http-client)
                    └── aws-smithy-mocks v0.2.6 (/Users/awsaito/src/smithy-rs/rust-runtime/aws-smithy-mocks)
                [dev-dependencies]
                └── aws-smithy-xml v0.60.15 (/Users/awsaito/src/smithy-rs/rust-runtime/aws-smithy-xml)
                    ├── aws-smithy-http-server v0.66.3 (/Users/awsaito/src/smithy-rs/rust-runtime/aws-smithy-http-server) (*)
                    ├── aws-smithy-http-server-python v0.67.1 (/Users/awsaito/src/smithy-rs/rust-runtime/aws-smithy-http-server-python)
                    ├── aws-smithy-legacy-http-server v0.65.14 (/Users/awsaito/src/smithy-rs/rust-runtime/aws-smithy-legacy-http-server)
                    │   └── aws-smithy-http-server-python v0.67.1 (/Users/awsaito/src/smithy-rs/rust-runtime/aws-smithy-http-server-python)
                    └── inlineable v0.1.0 (/Users/awsaito/src/smithy-rs/rust-runtime/inlineable)
```
`chacha20 `only exists in `rust-runtime/Cargo.lock` because of feature
unification — the server crates enable `uuid/fast-rng` which activates
rand across the whole workspace. In the SDK workspace, uuid resolves
without rand, so `chacha20` is never needed.

For 2, while investigating 1 it became clear that showing the source
dependency crate makes it much easier to add entries to
`false-positives.txt`.
```
`chacha20` (0.10.0), used by `rust-runtime/Cargo.lock`, is not contained in the SDK lockfile! (brought in by `aws-smithy-xml`)
`chacha20` (0.10.0), used by `rust-runtime/Cargo.lock`, is not contained in the SDK lockfile! (brought in by `aws-smithy-protocol-test`)
`chacha20` (0.10.0), used by `rust-runtime/Cargo.lock`, is not contained in the SDK lockfile! (brought in by `aws-smithy-mocks`)
`chacha20` (0.10.0), used by `rust-runtime/Cargo.lock`, is not contained in the SDK lockfile! (brought in by `aws-smithy-http-client`)
`chacha20` (0.10.0), used by `rust-runtime/Cargo.lock`, is not contained in the SDK lockfile! (brought in by `aws-smithy-runtime`)
`chacha20` (0.10.0), used by `rust-runtime/Cargo.lock`, is not contained in the SDK lockfile! (brought in by `aws-smithy-dns`)
```

---------

Co-authored-by: ysaito1001 <awsaito@amazon.com>

Author: aws-sdk-rust-ci

aws/rust-runtime/Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "sdk-lockfiles"
-version = "0.1.5"
+version = "0.1.6"
 authors = ["AWS Rust SDK Team <aws-sdk-rust@amazon.com>"]
 description = """
 A CLI tool to audit lockfiles for Smithy runtime crates, AWS runtime crates, `aws-config`, and the workspace containing

aws/rust-runtime/aws-config/Cargo.lock

@@ -1,13 +1,6 @@
-aws-smithy-experimental -> pin-project
-aws-smithy-experimental -> pin-project-internal
-aws-runtime -> wit-bindgen-rt
-aws-smithy-http-client -> sync_wrapper
-aws-smithy-mocks -> sync_wrapper
-aws-smithy-runtime -> sync_wrapper
-aws-smithy-http-server -> sync_wrapper
-aws-smithy-http-server -> metrique-service-metrics
-aws-smithy-http-server -> metrique-timesource
-aws-smithy-http-server -> metrique-writer
-aws-smithy-http-server -> metrique-writer-core
-aws-smithy-http-server -> metrique-writer-format-emf
-aws-smithy-http-server -> metrique-writer-macro
+aws-smithy-xml -> chacha20
+aws-smithy-protocol-test -> chacha20
+aws-smithy-mocks -> chacha20
+aws-smithy-http-client -> chacha20
+aws-smithy-runtime -> chacha20
+aws-smithy-dns -> chacha20

aws/sdk/Cargo.lock

@@ -15,7 +15,6 @@ use std::collections::HashSet;
 use std::env;
 use std::fmt;
 use std::hash::{Hash, Hasher};
-use std::iter;
 use std::path::PathBuf;
 use std::str::FromStr;
 use std::sync::LazyLock;
@@ -27,6 +26,7 @@ use std::sync::LazyLock;
 // This dependency might be an indirect dependency, meaning that the crate `from` transitively depends on the crate `to`.
 // Given collected `SuspectDependency` instances, the `audit` subcommand refers to `FALSE_POSITIVES` to determine
 // whether a `SuspectDependency` should be reported as an audit error.
+#[derive(Clone)]
 struct SuspectDependency {
     from: Package,
     to: Package,
@@ -46,7 +46,7 @@ impl fmt::Debug for SuspectDependency {
 impl PartialEq for SuspectDependency {
     fn eq(&self, other: &Self) -> bool {
         // `true` if two `SuspectDependency` share the same names `from`s and `to`s, ignoring package versions.
-        self.from.name == other.from.name || self.to.name == other.to.name
+        self.from.name == other.from.name && self.to.name == other.to.name
     }
 }
 
@@ -235,16 +235,9 @@ fn audit_runtime_lockfile_covered_by_sdk_lockfile<'a>(
         }
     }
     if let Some(false_positives) = false_positives {
-        // Any entry in `false_positives` that is not reported in `suspect_dependencies` may be removed,
-        // as it is no longer considered a false positive.
-        for fp in false_positives.difference(&suspect_dependencies) {
-            tracing::warn!("{fp:?} may potentially be removed from `{false_positives:?}`");
-        }
         suspect_dependencies.retain(|dep| !false_positives.contains(dep));
-        suspect_dependencies
-    } else {
-        suspect_dependencies
     }
+    suspect_dependencies
 }
 
 fn lockfile_for(
@@ -282,38 +275,46 @@ pub(super) fn audit(args: AuditArgs) -> Result<()> {
         lockfile_for(smithy_rs_root, "aws/rust-runtime/aws-config/Cargo.lock")?,
     ];
 
-    let mut crates_to_report: Vec<(Package, &str)> = Vec::new();
+    let mut crates_to_report: Vec<(Package, Package, &str)> = Vec::new();
+    let mut all_suspect_dependencies: HashSet<SuspectDependency> = HashSet::new();
 
     for (runtime_lockfile, path) in &runtime_lockfiles {
         tracing::info!(
             "checking whether `{}` is covered by the SDK lockfile...",
             path
         );
 
-        let crates_uncovered_by_sdk = audit_runtime_lockfile_covered_by_sdk_lockfile(
+        let mut crates_uncovered_by_sdk = audit_runtime_lockfile_covered_by_sdk_lockfile(
             runtime_lockfile,
             &sdk_dependency_set,
-            Some(&FALSE_POSITIVES),
+            None,
         );
+        all_suspect_dependencies.extend(crates_uncovered_by_sdk.iter().cloned());
+        crates_uncovered_by_sdk.retain(|dep| !FALSE_POSITIVES.contains(dep));
 
         crates_to_report.extend(
             crates_uncovered_by_sdk
                 .into_iter()
-                .map(|c| c.to)
-                .zip(iter::repeat(*path)),
+                .map(|c| (c.from, c.to, *path)),
         );
     }
 
+    // Warn about false-positive entries that are no longer needed
+    for fp in FALSE_POSITIVES.difference(&all_suspect_dependencies) {
+        tracing::warn!("{fp:?} may potentially be removed from `false-positives.txt`");
+    }
+
     if crates_to_report.is_empty() {
         println!("SUCCESS");
         Ok(())
     } else {
-        for (pkg, origin_lockfile) in crates_to_report {
+        for (from, to, origin_lockfile) in &crates_to_report {
             eprintln!(
-                "`{}` ({}), used by `{}`, is not contained in the SDK lockfile!",
-                pkg.name.as_str(),
-                pkg.version,
+                "`{}` ({}), used by `{}`, is not contained in the SDK lockfile! (brought in by `{}`)",
+                to.name.as_str(),
+                to.version,
                 origin_lockfile,
+                from.name.as_str(),
             );
         }
         bail!("there are lockfile audit failures")