Rust detector silently discards non-dev dependencies when `Cargo.toml` file contains dependency from git

[ByAgenT]

Reported by sbom-tool customer https://github.com/microsoft/sbom-tool/issues/126.

Overview

Detector: RustCrateV2Detector CD version: Reproable on current main branch, also on 1.1.12

Upon investigation of the above issue I found out that if the dependencies in Cargo.toml file section contains dependency from git repo (example), it causes this code path to execute and return null instead of spec with list of non-dev dependencies. Seems like maybe instead of return null there should be one more case that handles git repo deps specifically or continue instead of return statement with logging out about dependencies that cannot be included in the result list.

Repro

Easiest way to repro is to clone customer OSS repo and run component detection scan on it

1. Clone policy-server: gh repo clone kubewarden/policy-server
2. Run scan scan --SourceDirectory D:\path\to\policy-server\
3. Observe only 11 components detected by RustCrateV2Detector and 0 non-dev inside ScanManifest.json

[JamieMagee]

I had a chat with @ByAgenT about this offline. The fix is to add another else if to this if/else statement to handle git dependencies:

https://github.com/microsoft/component-detection/blob/cc5c5ffd7fa528953f24c4962a3ea7506698aa86/src/Microsoft.ComponentDetection.Detectors/rust/RustCrateUtilities.cs?rgh-link-date=2022-08-31T21%3A09%3A35Z#L300-L318

[JamieMagee]

@ByAgenT can you confirm if this is still happening in v2.0.0 or newer? That version is the first to include the cargo rewrite from #117

[JamieMagee]

Closing this as completed.

@ByAgenT please reopen if you are still seeing the above issue.