Rust component detection fails to detect all Rust crate usage #116
Description
The current implementation of the Rust detectors use a combination of Cargo.lock and Cargo.toml information. The Cargo.lock file is used to understand what edges exist within the dependency graph, while the Cargo.toml files are found and used to walk the graph to detect component usage.
The manifest format within Cargo.toml is complex, supporting many features including workspaces, conditional dependencies (including per-target dependencies), package renaming, etc. Today, there are at least two significant issues where components are not correctly detected:
- Workspace members added indirectly via path dependencies from other workspace members are not found or processed
- Target conditional dependencies in crate manifests are not found or processed.
While these issues could be resolved, the current approach requires us to actively track any changes or enhancements to Cargo.toml.
Instead, we should consider taking a more conservative approach that relies solely on the Cargo.lock file, which is a simpler and significantly more stable format. This will remove our current ability to identify dev-dependencies (as this information is not in the lock file) but will simplify the implementation of the detector and address the issues mentioned above. In the future, we could then (optionally) call out to the package manager directly (e.g., calling cargo metadata) to provide more detailed information about dependencies without relying on the presence of Cargo for component detection.