fix(cargo): Treat projects outside the analyer root as packages

E.g. when analyzing a single Cargo project in a sub-directory with a `cargo.toml` file that points to "path dependencies" in a parent directory, these dependencies should not be seen as projects but as packages. This restores the behavior from before 7522a0c. As a bonus, this also resolves some inconsistencies compared to the original implementation: - Non-processed project VCS are not empty anymore. - "Out of tree" projects that are seen as packages now have the correct linkage and are also listed as packages (they were not listed as projects before although being referred to with `PROJECT_STATIC`). Resolves #8571. Signed-off-by: Sebastian Schuberth <[email protected]>
oss-review-toolkit · Apr 26, 2024 · c41c4c4 · c41c4c4
1 parent 60b00f6
commit c41c4c4
Showing 5 changed files with 60 additions and 21 deletions.
diff --git a/...ns/package-managers/cargo/src/funTest/assets/projects/synthetic/cargo-expected-output.yml b/...ns/package-managers/cargo/src/funTest/assets/projects/synthetic/cargo-expected-output.yml
@@ -12,10 +12,10 @@ project:
   declared_licenses_processed:
     spdx_expression: "Apache-2.0 OR MIT OR NOASSERTION"
   vcs:
-    type: ""
-    url: ""
-    revision: ""
-    path: ""
+    type: "Git"
+    url: "<REPLACE_URL_PROCESSED>"
+    revision: "<REPLACE_REVISION>"
+    path: "<REPLACE_PATH>"
   vcs_processed:
     type: "Git"
     url: "<REPLACE_URL_PROCESSED>"

diff --git a/...ers/cargo/src/funTest/assets/projects/synthetic/cargo-subcrate-client-expected-output.yml b/...ers/cargo/src/funTest/assets/projects/synthetic/cargo-subcrate-client-expected-output.yml
@@ -7,10 +7,10 @@ project:
   declared_licenses: []
   declared_licenses_processed: {}
   vcs:
-    type: ""
-    url: ""
-    revision: ""
-    path: ""
+    type: "Git"
+    url: "<REPLACE_URL_PROCESSED>"
+    revision: "<REPLACE_REVISION>"
+    path: "<REPLACE_PATH>"
   vcs_processed:
     type: "Git"
     url: "<REPLACE_URL_PROCESSED>"
@@ -21,7 +21,7 @@ project:
   - name: "dependencies"
     dependencies:
     - id: "Crate::lib:0.1.0"
-      linkage: "PROJECT_STATIC"
+      linkage: "STATIC"
       dependencies:
       - id: "Crate::cfg-if:0.1.9"
         linkage: "STATIC"
@@ -59,3 +59,32 @@ packages:
     url: "https://github.com/alexcrichton/cfg-if.git"
     revision: ""
     path: ""
+- id: "Crate::lib:0.1.0"
+  purl: "pkg:cargo/[email protected]"
+  declared_licenses:
+  - "Apache-2.0"
+  - "MIT"
+  declared_licenses_processed:
+    spdx_expression: "Apache-2.0 OR MIT"
+  description: ""
+  homepage_url: "https://example.org"
+  binary_artifact:
+    url: ""
+    hash:
+      value: ""
+      algorithm: ""
+  source_artifact:
+    url: ""
+    hash:
+      value: ""
+      algorithm: ""
+  vcs:
+    type: "Git"
+    url: "<REPLACE_URL_PROCESSED>"
+    revision: "<REPLACE_REVISION>"
+    path: "plugins/package-managers/cargo/src/funTest/assets/projects/synthetic/cargo-subcrate"
+  vcs_processed:
+    type: "Git"
+    url: "<REPLACE_URL_PROCESSED>"
+    revision: "<REPLACE_REVISION>"
+    path: "plugins/package-managers/cargo/src/funTest/assets/projects/synthetic/cargo-subcrate"
diff --git a/...argo/src/funTest/assets/projects/synthetic/cargo-subcrate-integration-expected-output.yml b/...argo/src/funTest/assets/projects/synthetic/cargo-subcrate-integration-expected-output.yml
@@ -7,10 +7,10 @@ project:
   declared_licenses: []
   declared_licenses_processed: {}
   vcs:
-    type: ""
-    url: ""
-    revision: ""
-    path: ""
+    type: "Git"
+    url: "<REPLACE_URL_PROCESSED>"
+    revision: "<REPLACE_REVISION>"
+    path: "<REPLACE_PATH>"
   vcs_processed:
     type: "Git"
     url: "<REPLACE_URL_PROCESSED>"

diff --git a/...nagers/cargo/src/funTest/assets/projects/synthetic/cargo-subcrate-lib-expected-output.yml b/...nagers/cargo/src/funTest/assets/projects/synthetic/cargo-subcrate-lib-expected-output.yml
@@ -8,10 +8,10 @@ project:
   declared_licenses_processed:
     spdx_expression: "Apache-2.0 OR MIT"
   vcs:
-    type: ""
-    url: ""
-    revision: ""
-    path: ""
+    type: "Git"
+    url: "<REPLACE_URL_PROCESSED>"
+    revision: "<REPLACE_REVISION>"
+    path: "<REPLACE_PATH>"
   vcs_processed:
     type: "Git"
     url: "<REPLACE_URL_PROCESSED>"

diff --git a/plugins/package-managers/cargo/src/main/kotlin/Cargo.kt b/plugins/package-managers/cargo/src/main/kotlin/Cargo.kt
@@ -41,6 +41,7 @@ import org.ossreviewtoolkit.model.Project
 import org.ossreviewtoolkit.model.ProjectAnalyzerResult
 import org.ossreviewtoolkit.model.RemoteArtifact
 import org.ossreviewtoolkit.model.Scope
+import org.ossreviewtoolkit.model.VcsInfo
 import org.ossreviewtoolkit.model.config.AnalyzerConfiguration
 import org.ossreviewtoolkit.model.config.RepositoryConfiguration
 import org.ossreviewtoolkit.model.orEmpty
@@ -162,7 +163,7 @@ class Cargo(
                 val pkg = packageById.getValue(node.id)
                 PackageReference(
                     id = Identifier("Crate", "", pkg.name, pkg.version),
-                    linkage = if (pkg.isProject()) PackageLinkage.PROJECT_STATIC else PackageLinkage.STATIC,
+                    linkage = if (pkg.isProject(workingDir)) PackageLinkage.PROJECT_STATIC else PackageLinkage.STATIC,
                     dependencies = dependencyNodes.toPackageReferences()
                 )
             }
@@ -191,14 +192,19 @@ class Cargo(
         )
 
         val nonProjectPackages = packageById.values.mapNotNullTo(mutableSetOf()) { cargoPkg ->
-            cargoPkg.takeUnless { it.isProject() }?.toPackage(hashes)
+            cargoPkg.takeUnless { it.isProject(workingDir) }?.toPackage(hashes)
         }
 
         return listOf(ProjectAnalyzerResult(project, nonProjectPackages))
     }
 }
 
-private fun CargoMetadata.Package.isProject() = source == null
+private fun CargoMetadata.Package.getLocalPath(): File? =
+    id.substringAfter("path+file://", "").ifEmpty { null }
+        ?.removeSuffix(")")?.substringBefore("#")?.let { File(it) }
+
+private fun CargoMetadata.Package.isProject(root: File): Boolean =
+    source == null && getLocalPath()?.startsWith(root) == true
 
 private fun CargoMetadata.Package.toPackage(hashes: Map<String, String>): Package {
     val declaredLicenses = parseDeclaredLicenses()
@@ -209,6 +215,10 @@ private fun CargoMetadata.Package.toPackage(hashes: Map<String, String>): Packag
     // https://github.com/rust-lang/cargo/pull/4920
     val declaredLicensesProcessed = DeclaredLicenseProcessor.process(declaredLicenses, operator = SpdxOperator.OR)
 
+    val vcs = repository?.let { VcsHost.parseUrl(it) }
+        ?: getLocalPath()?.let { PackageManager.processProjectVcs(it) }
+        ?: VcsInfo.EMPTY
+
     return Package(
         id = Identifier(
             type = "Crate",
@@ -225,7 +235,7 @@ private fun CargoMetadata.Package.toPackage(hashes: Map<String, String>): Packag
         binaryArtifact = RemoteArtifact.EMPTY,
         sourceArtifact = parseSourceArtifact(hashes).orEmpty(),
         homepageUrl = homepage.orEmpty(),
-        vcs = VcsHost.parseUrl(repository.orEmpty())
+        vcs = vcs
     )
 }