Skip to content

Handle Cargo path deps #1599

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Oct 10, 2025
Merged

Handle Cargo path deps #1599

merged 6 commits into from
Oct 10, 2025

Conversation

@tjugdev
Copy link
Contributor

@tjugdev tjugdev commented Oct 9, 2025
edited by atlassian bot
Loading

Overview

Detect Cargo path dependencies and report them correctly as such.

I originally included handling git dependencies as well, as they are also not currently being handled correctly. However, the git locator type doesn't have the ability to encode package name in addition to the repo, which means if multiple packages are found in a single repo, the dependencies are not reported accurately. This is an issue with the git locator type that applies more generally, so I backed this out and we can revisit the handling of git dependencies separately.

Acceptance criteria

Path dependencies are reported as path dependencies when scanning a Cargo project.

Testing plan

  • New tests
  • Scanned a repo with Cargo path deps and confirmed they are now being reported appropriately.

Risks

Metrics

References

  • ANE-2527: path dependencies for cargo are being reported as normal cargo dependencies

Checklist

  • I added tests for this PR's change (or explained in the PR description why tests don't make sense).
  • If this PR introduced a user-visible change, I added documentation into docs/.
  • If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
  • If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an ## Unreleased section at the top.
  • If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
  • If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.

@tjugdev tjugdev requested a review from a team as a code owner October 9, 2025 22:06
@tjugdev tjugdev requested a review from csasarak October 9, 2025 22:06
csasarak
csasarak requested changes Oct 9, 2025
View reviewed changes
Copy link
Contributor

@csasarak csasarak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good! I left a lot of comments, but the only thing that keeps this from an approval is where I asked for some example text/commentary for a couple of your parsers.

@tjugdev tjugdev merged commit 688143b into master Oct 10, 2025
19 of 20 checks passed
@tjugdev tjugdev deleted the cargo-path-deps branch October 10, 2025 14:45
@tjugdev tjugdev mentioned this pull request Oct 10, 2025
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@csasarak csasarak csasarak approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tjugdev @csasarak