[ANE-1659] update cargo metadata ID parser

[spatten]

Overview

Cargo changed the format of project IDs in the output of cargo metadata.

Prior to cargo 1.77.0 they looked like this:

adler 1.0.2 (registry+https://github.com/rust-lang/crates.io-index)

For 1.77.0 and greater, they look like this, as defined in https://doc.rust-lang.org/nightly/cargo/reference/pkgid-spec.html

registry+https://github.com/rust-lang/crates.io-index#adler@1.0.2

For path dependencies, I've seen them with and without the package name in the fragment:

path+file:///Users/scott/projects/health-data/health_data#package_name@0.1.0

or

path+file:///Users/scott/projects/health-data/health_data#0.1.0

Acceptance criteria

• We can parse the output of cargo metadata for new versions of cargo
• We can parse the output of cargo metadata with older versions of cargo

Testing plan

Use rustup to install an old and a new version of cargo:

rustup update # This is currently 1.77.2

rustup install 1.76.0

Now, analyze a cargo project with both the old version:

rustup default 1.77.2
cabal run fossa -- analyze <path to rust project> --output > /tmp/output-1.77.2.json

rustup default 1.76.0
cabal run fossa -- analyze <path to rust project> --output > /tmp/output-1.76.0.json

Clean up those output files (you sometimes get some cruft from cabal run at the beginning) and then run them through jq or otherwise prettify them.

You should now see no difference when you diff the output.

diff /tmp/output-1.77.2.json /tmp/output-1.76.0.json

Chris: I did this with foundation which has a mix of path deps and regular ones and got no differences:

make install-local
rustup default stable
./fossa analyze --output ~/devel/foundation | jq . > 1_77_out.json
rustup install 1.76
rustup default 1.76
./fossa analyze --output ~/devel/foundation | jq . > 1_76_out.json
diff -u 1_77_out.json 1_76_out.json

Risks

Metrics

References

https://fossa.atlassian.net/browse/ANE-1659

https://teamfossa.slack.com/archives/C043EM3L96Z/p1713558253884749

Checklist

• I added tests for this PR's change (or explained in the PR description why tests don't make sense).
  - [ ] If this PR introduced a user-visible change, I added documentation into docs/.
  - [ ] If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
• If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an # Unreleased section at the top.
  - [ ] If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
  - [ ] If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.

[JeffreyHuynh1]

LGTM

[JeffreyHuynh1]

The comments you added in this file are great!! It makes it really easy to follow and understand the implementation logic.

[csasarak]

Scott wrote the big one and made the testing setup, so thank you @spatten .