Rust CLI metadata detector should use --all-features to avoid false negatives #894
Comments
RobJellinghaus
added a commit
to RobJellinghaus/component-detection
that referenced
this issue
Nov 9, 2023
melotic
pushed a commit
that referenced
this issue
Nov 13, 2023
* Add --all-features per issue #894 * Fix formatting. --------- Co-authored-by: Rob Jellinghaus <[email protected]>
|
closed by #897 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Rust defines "features" which enable particular behaviors in projects. The default features used in a project are set in the project's Cargo.toml file, but a pipeline build is free to override the default features in any way.
The Rust CLI detector currently runs "cargo metadata" in the project, and will therefore report only the dependencies used by the features that are enabled by default. This means that any dependencies that are used only by optional features (not enabled by default) will be missed by the CLI detector, and any builds that enable such features would be picking up undetected dependencies.
This issue requests modifying the Rust CLI detector to pass the --all-features flag to "cargo metadata". This will result in every possible build and runtime dependency being made visible to the detector, thereby avoiding false negatives.
In the longer term, our team is working on a feature extension to Cargo itself to enable accurate metadata to be generated as part of a build, using precisely the same features as the build itself. We will engage regarding that work when it's ready. But for now we believe this --all-features change would be an improvement in accuracy.
We will work on a pull request to implement this change.
AB#2121993
The text was updated successfully, but these errors were encountered: