Add Workspace Support for Cargo #1622
Conversation
zahidblackduck
changed the title
zahidblackduck
requested review from
bd-samratmuk,
cpottsbd,
devmehtabd,
dterrybd and
shantyk
…IDETECT-4919 # Conflicts: # documentation/src/main/markdown/currentreleasenotes.md
| } | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
Do we want to parse the exclude array which can be present in the toml file along with members?
Consider this,
[workspace]
members = [packages/*]
exclude = [packages/foo]
From your logic, foo will be included, so the question is do we want to exclude it or let users do that via property? Or the build commands would take care of that for us?
There was a problem hiding this comment.
You are right. As, Cargo Lockfile Detector is dependent on the manual parsing of Cargo.toml workspace table, it should take care of exclude section. The exclude section should be respected. Thanks for pointing this out. Updated the code accordingly.
| } | ||
| } | ||
|
|
||
| private List<String> getEffectiveInclusions(List<String> included, List<String> excluded) { |
There was a problem hiding this comment.
Instead of this method, did you try using ExcludedIncludedWildcardFilter class, I think this will simplify things on your end.
There was a problem hiding this comment.
Thanks for the suggestion Dev. I considered using ExcludedIncludedWildcardFilter, but the cargo tree command has specific flag requirements that don't align well with a simple filter-based approach:
The challenge is that cargo tree has strict rules about flag combinations:
--workspaceflag must be present when using--exclude(enforced by cargo CLI)--packageflags can work alone when no exclusions are specified- The command structure changes based on which filters are active
Example scenarios:
# When there is no workspace filter, we must add --workspace flag (default workspace support)
cargo tree --workspace
# When only inclusions filter is present, we need to use --package flags without the --workspace
cargo tree --package grep --package ignore
# When only exclusions filter is present, we must add --workspace (cargo requirement)
cargo tree --workspace --exclude grep-regex
# When both inclusions and exclusions flag present, we must add --workspace + both flag types
cargo tree --workspace --package grep --exclude grep-regexExcludedIncludedWildcardFilter filter class cannot tell us whether to add --workspace or when to skip it, which is critical for generating valid cargo commands.
That's why addWorkspaceFlags() explicitly checks for inclusions/exclusions and constructs the command accordingly rather than delegating to a filter.
The getEffectiveInclusions(...) method has been dropped altogether though. While exploring the possibility of introducting ExcludedIncludedWildcardFilter in the code, it was found that this method is not required at all, and the cargo tree <additional-flags> command can be constructed in much simpler way.
|
|
||
| * (IDETECT-4924) Resolved an issue where Impact Analysis Scan threw errors on malformed classes; it now handles them gracefully by logging a warning, skipping the affected classes, and adding them to the scan output. | ||
| * (IDETECT-4921) Fixed upload failures in proxied environments when SCASS is enabled. | ||
| * (IDETECT-4919) Added Cargo workspace support in Cargo detectors. Detect now identifies `[workspace]` in the root `Cargo.toml` and resolves dependencies across all members using the shared `Cargo.lock`. Additional_components section has been removed, ensuring complete SBOMs. |
There was a problem hiding this comment.
Tiny tweak suggestion:
- (IDETECT-4919) Added Cargo workspace support in Cargo detectors. [detect_product_short] now identifies
[workspace]in the rootCargo.tomland resolves dependencies across all members using the sharedCargo.lock. The "Additional_components" section has been removed from SBOMs for completeness.
|
|
||
| ### New features | ||
|
|
||
| * New `detect.cargo.included.workspaces` and `detect.cargo.excluded.workspaces` properties for cargo detector provide control over which workspace members are included or excluded during scanning. See [cargo](properties/detectors/cargo.md) for details. |
There was a problem hiding this comment.
Minor rewording suggestion:
- Control over which workspace members are included or excluded during scanning is made possible by the new
detect.cargo.included.workspacesanddetect.cargo.excluded.workspacesproperties for Cargo Detector. See Cargo for details.
| ### New features | ||
|
|
||
| * New `detect.cargo.included.workspaces` and `detect.cargo.excluded.workspaces` properties for cargo detector provide control over which workspace members are included or excluded during scanning. See [cargo](properties/detectors/cargo.md) for details. | ||
| * New `detect.cargo.ignore.all.workspaces` property allows disabling workspace support entirely when set to true (default: false). See [cargo](properties/detectors/cargo.md) for more information. |
There was a problem hiding this comment.
When set to true (default: false), the new detect.cargo.ignore.all.workspaces property allows you to completely disable workspace support. See Cargo for more information.
JIRA Ticket
IDETECT-4919
Description
This merge request aims to add cargo workspace support in the cargo detectors.
Previously, the cargo detectors parsed only the manifest in the project root directory, which caused:
The current implementation now resolves workspace by default. We can exclude / include workspace or disable the workspace support altogether by specified detect properties.
Detect now identifies cargo workspaces declared via
[workspace]table in the rootCargo.toml. Added properties to add support for workspace enable/disable and include/exclude workspace members.New Properties
Properties to include workspace
detect.cargo.included.workspaces=<comma separated list of workspace(s) to include>Properties to exclude workspace
detect.cargo.excluded.workspaces=<comma separated list of workspace(s) to exclude>Enable / Disable workspace
detect.cargo.ignore.all.workspaces=<true for ignore all workspaces, false is default>