Detect property to exclude Cargo dependencies

[zahidblackduck]

JIRA Ticket

IDETECT-4326

Description

This merge request introduces a feature to exclude specific types of dependencies in the Cargo detector, providing more control over which dependencies are included in detect scans. The supported types are:

• Normal: Regular dependencies needed for runtime.
• Dev: Development dependencies, such as test libraries.
• Build: Build-related dependencies.
• Proc-Macro: Procedural macro dependencies.

A new property has been added to configure the exclusion of these dependencies:

--detect.cargo.dependency.types.excluded=NONE,NORMAL,DEV,BUILD,PROC_MACRO

By default, all dependencies are included (NONE). Specific types can be excluded by specifying the appropriate values.

Implementation Details

To support this feature, an enum (CargoDependencyType) has been introduced to represent the dependency types. This logic has been implemented across both Cargo CLI Detector and Cargo Lockfile Detector:

1. Cargo CLI Detector: Uses the cargo tree command with native options to exclude dependencies. For example, excluding development dependencies is done by adding the --edges no-dev flag to the command. This solution leverages the CLI's built-in functionality with minimal post-processing.

2. Cargo Lockfile Detector: Since Cargo.lock does not include dependency types, the lockfile detector reads and parses the Cargo.toml file. It collects the [dev-dependencies] and [build-dependencies] sections, filtering out matching dependencies based on the exclusion configuration. It collects the sections that are to be included from the Cargo.toml file, then collects the corresponding transitive dependencies from the Cargo.lock using DFS traversal.

[devmehtabd]

Instead of checking on cargoDetectableOptions object, can we check on dependencyTypeFilter instead? There could be more properties added to this detector in future not related to dependency exclusion.

[zahidblackduck]

Ah, you're right. The actual filtering is handled by dependencyTypeFilter. This null check is just to verify whether any options were passed at all. The filtering logic using dependencyTypeFilter is applied later in the CargoTomlParser#parseDependenciesToExclude(..) method.

[devmehtabd]

I understand that, my only concern is that if in future lets say we add some new property for excluding workspaces as an example then those options will also be passed in CargoDetectableOptions, so we will make this unnecessary call to cargoTomlParser which is not required if no dependency exclusion is involved. I hope I made sense.

[zahidblackduck]

The current code setup doesn't call the methods of CargoTomlParser if no dependency exclusion is involved. Nonetheless, I aim to address the issue that you pointed out in any future enhancement of cargo related issue.

[devmehtabd]

I know, currently your code is not getting executed if cargoDetectableOptions is null. It is not guaranteed that you are going to work on this in any future enhancement related to Cargo and it could be easily missed. I believe we should address this now, its a simple change and not a complicated ask.

[zahidblackduck]

Okay, sure. I'll update accordingly.

[devmehtabd]

Should be changed, since this is applicable to Lockfile Detector as well.

[zahidblackduck]

It's a good find. I'll update.

[devmehtabd]

Another wildcard import statement.

[cpottsbd]

I might be inclined to pass the full parameter entry for the example?
i.e. "For example, passing DETECT_CARGO_DEPENDENCY_TYPES_EXCLUDED = DEV will skip [dev-dependencies] from detection."

[zahidblackduck]

Thanks. Updated as per the review.

[andrian-sevastyanov]

I have an idea that could help resolve the special cases we have been discussing. For Cargo.lock, when excluding dependencies we could try something like this:

1. Go through sections of Cargo.toml to determine which sections should be included
2. For all included sections, figure out what the root dependencies are
3. Use the lock file to figure out the transitive dependencies for root dependencies from step 2
4. The final result is then combination of step 2 and 3.

I may have missed something, but I think it's worth considering at the very least.

[andrian-sevastyanov]

Could you describe situations in which PROC_MACRO exclusion is useful? And I guess it's not applicable to lock file extractions?

[zahidblackduck]

I have an idea that could help resolve the special cases we have been discussing. For Cargo.lock, when excluding dependencies we could try something like this:

1. Go through sections of Cargo.toml to determine which sections should be included
2. For all included sections, figure out what the root dependencies are
3. Use the lock file to figure out the transitive dependencies for root dependencies from step 2
4. The final result is then combination of step 2 and 3.

I may have missed something, but I think it's worth considering at the very least.

Interesting idea. Further discussion might help on the implementation strategy.

[andrian-sevastyanov]

This find is done inside of a loop so it might be worth it to do some preprocessing for faster lookups.

[andrian-sevastyanov]

This may still be a concern for big projects. You could try indexing packages by name for faster lookups before starting loops that call this method. There are a couple such loops.

[zahidblackduck]

So, are you suggesting to construct a HashMap of package names beforehand? I mean the findPackageByNameVersion method matches for versions. For example, which 7.0.0 should match version which 7.0.2. And there can be another which 8.0.1 to which the first one should not match.

[andrian-sevastyanov]

Yeah, that's the idea. It can be a map of names to multiple name/versions.
That would allow us to quickly find all possible versions for a given dependency instead of iterating through the entire list of dependencies for every single lookup.

[zahidblackduck]

I have an idea that could help resolve the special cases we have been discussing. For Cargo.lock, when excluding dependencies we could try something like this:

1. Go through sections of Cargo.toml to determine which sections should be included
2. For all included sections, figure out what the root dependencies are
3. Use the lock file to figure out the transitive dependencies for root dependencies from step 2
4. The final result is then combination of step 2 and 3.

I may have missed something, but I think it's worth considering at the very least.

The latest changes of the Cargo Lockfile detector dependency exclusion strategy has adopted the above approach.