From 534b05016a1142d1d3122a87df5042080ebd8035 Mon Sep 17 00:00:00 2001
From: Michael Tautschnig <tautschn@amazon.com>
Date: Thu, 5 Oct 2023 23:10:20 +0200
Subject: [PATCH] Limit --exclude to workspace packages (#2808)

Previously, --exclude would start from the set of all packages
referenced in a workspace, i.e., the workspace's packages plus any
dependencies. Without --exclude, we would at most look at all the
workspace's packages, so --exclude would result in possibly verifying a
larger set of packages.
---
 kani-driver/src/call_cargo.rs | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/kani-driver/src/call_cargo.rs b/kani-driver/src/call_cargo.rs
index 6bd6a0c35f38..66166913c9cb 100644
--- a/kani-driver/src/call_cargo.rs
+++ b/kani-driver/src/call_cargo.rs
@@ -319,8 +319,14 @@ fn packages_to_verify<'b>(
             .map(|pkg_name| metadata.packages.iter().find(|pkg| pkg.name == *pkg_name).unwrap())
             .collect()
     } else if !args.cargo.exclude.is_empty() {
+        // should be ensured by argument validation
+        assert!(args.cargo.workspace);
         validate_package_names(&args.cargo.exclude, &metadata.packages)?;
-        metadata.packages.iter().filter(|pkg| !args.cargo.exclude.contains(&pkg.name)).collect()
+        metadata
+            .workspace_packages()
+            .into_iter()
+            .filter(|pkg| !args.cargo.exclude.contains(&pkg.name))
+            .collect()
     } else {
         match (args.cargo.workspace, metadata.root_package()) {
             (true, _) | (_, None) => metadata.workspace_packages(),