Detect property to exclude Cargo dependencies #1421
Conversation
zahidblackduck
requested review from
dterrybd,
devmehtabd,
shantyk and
andrian-sevastyanov
.../src/main/java/com/blackduck/integration/detectable/detectables/cargo/CargoCliExtractor.java
Outdated
Show resolved
Hide resolved
.../main/java/com/blackduck/integration/detectable/detectables/cargo/parse/CargoTomlParser.java
Outdated
Show resolved
Hide resolved
| import java.util.ArrayList; | ||
| import java.util.List; | ||
| import java.util.Optional; | ||
| import java.util.*; |
There was a problem hiding this comment.
Another wildcard.
...ble/src/main/java/com/blackduck/integration/detectable/detectables/cargo/CargoExtractor.java
Outdated
Show resolved
Hide resolved
| List<CargoLockPackageData> filteredPackages = cargoLockPackageDataList; | ||
| String cargoTomlContents = FileUtils.readFileToString(cargoTomlFile, StandardCharsets.UTF_8); | ||
|
|
||
| if (cargoDetectableOptions != null) { |
There was a problem hiding this comment.
Instead of checking on cargoDetectableOptions object, can we check on dependencyTypeFilter instead? There could be more properties added to this detector in future not related to dependency exclusion.
There was a problem hiding this comment.
Ah, you're right. The actual filtering is handled by dependencyTypeFilter. This null check is just to verify whether any options were passed at all. The filtering logic using dependencyTypeFilter is applied later in the CargoTomlParser#parseDependenciesToExclude(..) method.
There was a problem hiding this comment.
I understand that, my only concern is that if in future lets say we add some new property for excluding workspaces as an example then those options will also be passed in CargoDetectableOptions, so we will make this unnecessary call to cargoTomlParser which is not required if no dependency exclusion is involved. I hope I made sense.
There was a problem hiding this comment.
The current code setup doesn't call the methods of CargoTomlParser if no dependency exclusion is involved. Nonetheless, I aim to address the issue that you pointed out in any future enhancement of cargo related issue.
There was a problem hiding this comment.
I know, currently your code is not getting executed if cargoDetectableOptions is null. It is not guaranteed that you are going to work on this in any future enhancement related to Cargo and it could be easily missed. I believe we should address this now, its a simple change and not a complicated ask.
There was a problem hiding this comment.
Okay, sure. I'll update accordingly.
| .setInfo("Cargo Dependency Types Excluded", DetectPropertyFromVersion.VERSION_10_5_0) | ||
| .setHelp( | ||
| "A comma-separated list of dependency types that will be excluded.", | ||
| "If DEV is excluded, the Cargo CLI Detector will exclude 'dev' dependencies when parsing the output of cargo tree." |
There was a problem hiding this comment.
Should be changed, since this is applicable to Lockfile Detector as well.
There was a problem hiding this comment.
It's a good find. I'll update.
| @@ -1,16 +1,22 @@ | |||
| package com.blackduck.integration.detectable.detectables.cargo.parse; | |||
|
|
|||
| import java.util.Optional; | |||
| import java.util.*; | |||
There was a problem hiding this comment.
Another wildcard import statement.
| .setInfo("Cargo Dependency Types Excluded", DetectPropertyFromVersion.VERSION_10_5_0) | ||
| .setHelp( | ||
| "A comma-separated list of dependency types that will be excluded.", | ||
| "The Cargo CLI Detector uses cargo tree flags to exclude the specified types, while the Cargo Lockfile Detector filters dependencies by reading Cargo.toml. For example, passing DEV will skip [dev-dependencies] from detection." |
There was a problem hiding this comment.
I might be inclined to pass the full parameter entry for the example?
i.e. "For example, passing DETECT_CARGO_DEPENDENCY_TYPES_EXCLUDED = DEV will skip [dev-dependencies] from detection."
There was a problem hiding this comment.
Thanks. Updated as per the review.
zahidblackduck
requested review from
cpottsbd,
andrian-sevastyanov and
devmehtabd
.../main/java/com/blackduck/integration/detectable/detectables/cargo/parse/CargoTomlParser.java
Outdated
Show resolved
Hide resolved
|
For lock file detectable, have you tested a scenario like this:
I believe when excluding dev dependencies in such a case both componentA and componentB should be present in the result; however, in the case of lock file detectable we will exclude componentB. Please correct me if I'm wrong. |
| .allMatch(dependencyTypeFilter::shouldExclude); | ||
|
|
||
| if (shouldBeExcluded) { | ||
| dependenciesToExclude.put(nameVersion.getName(), nameVersion.getVersion()); |
There was a problem hiding this comment.
This dependenciesToExclude map allows for a maximum of one version per dependency name; however, it looks like it's possible to specify incompatible versions of the same dependency if they are different types. Example excerpt from Cargo.toml:
[dev-dependencies]
syn = "2.0.1"
[build-dependencies]
syn = "1"
results in the following tree:
[build-dependencies]
└── syn v1.0.109
├── proc-macro2 v1.0.95
│ └── unicode-ident v1.0.18
├── quote v1.0.40
│ └── proc-macro2 v1.0.95 (*)
└── unicode-ident v1.0.18
[dev-dependencies]
└── syn v2.0.101
├── proc-macro2 v1.0.95 (*)
├── quote v1.0.40 (*)
└── unicode-ident v1.0.18
and Cargo.lock has:
...
[[package]]
name = "syn"
version = "1.0.109"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237"
dependencies = [
"proc-macro2",
"quote",
"unicode-ident",
]
[[package]]
name = "syn"
version = "2.0.101"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8ce2b7fc941b3a24138a0a7cf8e858bfc6a992e7978a068a5c760deb0ed43caf"
dependencies = [
"proc-macro2",
"quote",
"unicode-ident",
]
...
There was a problem hiding this comment.
Using a map of type Map<NameVersion, String> instead of Map<String, String> might solve this problem, as NameVersion key might be unique for a Cargo.toml file.
|
I have an idea that could help resolve the special cases we have been discussing. For
I may have missed something, but I think it's worth considering at the very least. |
| .map(cargoLockPackageDataTransformer::transform) | ||
| .collect(Collectors.toList()); | ||
|
|
||
| DependencyGraph graph = cargoLockPackageTransformer.transformToGraph(packages); | ||
|
|
||
| Optional<NameVersion> projectNameVersion = Optional.empty(); | ||
| if (cargoTomlFile != null) { | ||
| String cargoTomlContents = FileUtils.readFileToString(cargoTomlFile, StandardCharsets.UTF_8); |
There was a problem hiding this comment.
Previously we were checking whether the file is not null before reading it. Now, we don't. FileUtils.readFileToString throws an exception.
We should continue to check whether the file is there before reading it.
Also, I think something like this should happen:
if cargoTomlFile == null and isDependencyExclusionEnabled():
failExtraction() // because we can't reliably determine dependency types; also, we might want to do this in the `extractable()` method of Detectable
| ExternalId childExternalId = externalIdFactory.createNameVersionExternalId(Forge.CRATES, childName, childVersion); | ||
|
|
||
| graph.setDependencyInfo(childId, childName, childVersion, childExternalId); | ||
| graph.setDependencyAsAlias(childId, LazyId.fromName(childName)); |
There was a problem hiding this comment.
What are aliases used for? I've seen this before but not sure what the end effect is.
| exclusionMap.put(CargoDependencyType.NORMAL, "no-normal"); | ||
| exclusionMap.put(CargoDependencyType.BUILD, "no-build"); | ||
| exclusionMap.put(CargoDependencyType.DEV, "no-dev"); | ||
| exclusionMap.put(CargoDependencyType.PROC_MACRO, "no-proc-macro"); |
There was a problem hiding this comment.
Could you describe situations in which PROC_MACRO exclusion is useful? And I guess it's not applicable to lock file extractions?
Interesting idea. Further discussion might help on the implementation strategy. |
JIRA Ticket
IDETECT-4326
Description
This merge request introduces a feature to exclude specific types of dependencies in the Cargo detector, providing more control over which dependencies are included in detect scans. The supported types are:
A new property has been added to configure the exclusion of these dependencies:
By default, all dependencies are included (
NONE). Specific types can be excluded by specifying the appropriate values.Implementation Details
To support this feature, an enum (
CargoDependencyType) has been introduced to represent the dependency types. This logic has been implemented across both Cargo CLI Detector and Cargo Lockfile Detector:Cargo CLI Detector: Uses the
cargo treecommand with native options to exclude dependencies. For example, excluding development dependencies is done by adding the--edges no-devflag to the command. This solution leverages the CLI's built-in functionality with minimal post-processing.Cargo Lockfile Detector: Since
Cargo.lockdoes not include dependency types, the lockfile detector reads and parses theCargo.tomlfile. It collects the[dev-dependencies]and[build-dependencies]sections, filtering out matching dependencies based on the exclusion configuration.