Rust defines "features" which enable particular behaviors in projects. The default features used in a project are set in the project's Cargo.toml file, but a pipeline build is free to override the default features in any way.
The Rust CLI detector currently runs "cargo metadata" in the project, and will therefore report only the dependencies used by the features that are enabled by default. This means that any dependencies that are used only by optional features (not enabled by default) will be missed by the CLI detector, and any builds that enable such features would be picking up undetected dependencies.
This issue requests modifying the Rust CLI detector to pass the --all-features flag to "cargo metadata". This will result in every possible build and runtime dependency being made visible to the detector, thereby avoiding false negatives.
In the longer term, our team is working on a feature extension to Cargo itself to enable accurate metadata to be generated as part of a build, using precisely the same features as the build itself. We will engage regarding that work when it's ready. But for now we believe this --all-features change would be an improvement in accuracy.
We will work on a pull request to implement this change.
melotic
commented
10 months ago
Rust defines "features" which enable particular behaviors in projects. The default features used in a project are set in the project's Cargo.toml file, but a pipeline build is free to override the default features in any way.
The Rust CLI detector currently runs "cargo metadata" in the project, and will therefore report only the dependencies used by the features that are enabled by default. This means that any dependencies that are used only by optional features (not enabled by default) will be missed by the CLI detector, and any builds that enable such features would be picking up undetected dependencies.
This issue requests modifying the Rust CLI detector to pass the --all-features flag to "cargo metadata". This will result in every possible build and runtime dependency being made visible to the detector, thereby avoiding false negatives.
In the longer term, our team is working on a feature extension to Cargo itself to enable accurate metadata to be generated as part of a build, using precisely the same features as the build itself. We will engage regarding that work when it's ready. But for now we believe this --all-features change would be an improvement in accuracy.
We will work on a pull request to implement this change.
AB#2121993