feat: rust analysis support#411
Conversation
Review Summary by QodoAdd Rust Cargo package analysis support with SBOM generation
WalkthroughsDescription• Implements complete Rust Cargo package analysis provider (rust_cargo.js) supporting single crates, virtual workspaces, and workspaces with root crates • Executes cargo metadata to extract dependency information and generates CycloneDX SBOM format • Supports both stack analysis (transitive dependencies) and component analysis (direct dependencies only) • Implements dependency filtering with support for trustify-da-ignore and exhortignore markers, handling underscore/hyphen normalization • Registers the new provider in the provider registry and adds TRUSTIFY_DA_CARGO_PATH environment variable for custom Cargo binary path configuration • Includes comprehensive test suite with 485+ lines covering manifest validation, lock file detection, SBOM generation, and error handling across multiple workspace configurations • Provides extensive test fixtures and expected SBOM outputs for single crates, virtual workspaces, and workspaces with root crates • Updates documentation in README.md and CONTRIBUTING.md to document Rust Cargo support and ignore marker usage Diagramflowchart LR
A["Cargo.toml<br/>Cargo.lock"] -->|"cargo metadata"| B["rust_cargo.js<br/>Provider"]
B -->|"Extract deps"| C["Dependency<br/>Analysis"]
C -->|"Filter ignores"| D["SBOM<br/>Generation"]
D -->|"CycloneDX"| E["SBOM Output"]
B -.->|"Register"| F["Provider<br/>Registry"]
File Changes1. src/providers/rust_cargo.js
|
Code Review by Qodo
1. Member ignore scan broken
|
Review Summary by QodoAdd Rust/Cargo package analysis support with SBOM generation
WalkthroughsDescription• Implements complete Rust/Cargo package analysis provider with support for single crates, virtual workspaces, and workspaces with root crates • Executes cargo metadata to extract dependency information and generates CycloneDX SBOM format • Supports both stack analysis (transitive dependencies) and component analysis (direct dependencies only) • Implements dependency filtering with support for trustify-da-ignore and exhortignore markers, handling underscore/hyphen normalization • Registers the new rustCargoProvider in the provider registry • Adds TRUSTIFY_DA_CARGO_PATH configuration option for custom Cargo binary path • Comprehensive test suite with 485 lines covering all Cargo project types and analysis modes • Includes extensive test fixtures and expected SBOM outputs for various Cargo configurations • Updates documentation to list Rust/Cargo as a supported package manager with configuration examples Diagramflowchart LR
CargoMetadata["Cargo Metadata<br/>cargo metadata command"]
Provider["Rust Cargo Provider<br/>rust_cargo.js"]
Registry["Provider Registry<br/>provider.js"]
SBOM["CycloneDX SBOM<br/>JSON output"]
Config["Configuration<br/>TRUSTIFY_DA_CARGO_PATH"]
CargoMetadata -- "extract dependencies" --> Provider
Provider -- "register" --> Registry
Provider -- "generate" --> SBOM
Config -- "configure" --> Provider
File Changes1. src/providers/rust_cargo.js
|
Code Review by Qodo
1. Member ignore scan broken
|
ruromero
left a comment
There was a problem hiding this comment.
I have added 2 comments if you can review them
|
@ruromero Thank you for the review. I've implemented the suggested changes. Ready for another look whenever you have a moment. |
ruromero
left a comment
There was a problem hiding this comment.
sorry I forgot to "submit" my review
ruromero
left a comment
There was a problem hiding this comment.
I think adding the repository_url=local is a good solution because the backend can just ignore the vulnerability check for this package and help maintain the depedency tree without effort. Actually the generated SBOM must show all the packages even if they're local.
Thanks for the good work
Signed-off-by: Adva Oren <aoren@redhat.com>
Description
Add Rust analysis support
Related issues (if any):
Checklist
Additional information