Closed ByAgenT closed 1 year ago
I had a chat with @ByAgenT about this offline. The fix is to add another else if
to this if/else statement to handle git dependencies:
@ByAgenT can you confirm if this is still happening in v2.0.0
or newer? That version is the first to include the cargo rewrite from #117
Closing this as completed.
@ByAgenT please reopen if you are still seeing the above issue.
Reported by sbom-tool customer https://github.com/microsoft/sbom-tool/issues/126.
Overview
Detector:
RustCrateV2Detector
CD version: Reproable on currentmain
branch, also on1.1.12
Upon investigation of the above issue I found out that if the dependencies in Cargo.toml file section contains dependency from git repo (example), it causes this code path to execute and return null instead of spec with list of non-dev dependencies. Seems like maybe instead of
return null
there should be one more case that handles git repo deps specifically orcontinue
instead of return statement with logging out about dependencies that cannot be included in the result list.Repro
Easiest way to repro is to clone customer OSS repo and run component detection scan on it
gh repo clone kubewarden/policy-server
scan --SourceDirectory D:\path\to\policy-server\
RustCrateV2Detector
and 0 non-dev inside ScanManifest.json