Skip to content

Fix Rust component detector to support "x.y.z" version specifiers in Cargo.toml #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jan 25, 2022
Merged

Fix Rust component detector to support "x.y.z" version specifiers in Cargo.toml #43

merged 5 commits into from
Jan 25, 2022

Conversation

@tofay
Copy link
Contributor

@tofay tofay commented Jan 19, 2022

If you specify a dependency with "x.y.z" in Cargo.toml, then that dependency (and it's dependency tree) is only detected if the version of the dependency in Cargo.lock is "x.y.z".

This doesn't match cargo's behaviour, which treats "x.y.z" like "^x.y.z": https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#specifying-dependencies-from-cratesio

I've updated the Rust detector to match cargo's behaviour, and added a test to verify that such dependencies are now picked up by component governance.

The fix is to update the caret desugarar regex to make the caret optional.

I also fixed the vscode dev container files to use .NET 3.1, to match #19

@tofay tofay requested a review from a team as a code owner January 19, 2022 13:15
@tofay tofay requested a review from annaowens January 19, 2022 13:15
@github-actions
Copy link

github-actions bot commented Jan 19, 2022

👋 Hi! It looks like you modified some files in the Detectors folder.
You may need to bump the detector versions if any of the following scenarios apply:

  • The detector detects more or fewer components than before
  • The detector generates different parent/child graph relationships than before
  • The detector generates different devDependencies values than before

If none of the above scenarios apply, feel free to ignore this comment 🙂

Tom Fay added 2 commits January 19, 2022 14:31
@tofay
Copy link
Contributor Author

tofay commented Jan 19, 2022

The changes to the verification test look reasonable: it looks like some dependencies were incorrectly being flagged as dev dependencies when they are normal dependencies.

grvillic
grvillic reviewed Jan 24, 2022
View reviewed changes
@grvillic grvillic merged commit 15eb5fa into main Jan 25, 2022
@grvillic grvillic deleted the tofay/rust-component-fix branch January 25, 2022 17:39
@grvillic
Copy link
Collaborator

grvillic commented Jan 25, 2022

Thank you for the contribution! 🚀

@JamieMagee JamieMagee added detector:rust The Rust Cargo detector type:bug Bug fix of existing functionality labels Jan 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@grvillic grvillic grvillic approved these changes

@annaowens annaowens Awaiting requested review from annaowens annaowens is a code owner automatically assigned from microsoft/ose-component-detection-maintainers

Assignees

No one assigned

Labels

detector:rust The Rust Cargo detector type:bug Bug fix of existing functionality

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tofay @grvillic @JamieMagee