handle elided name in git package ID specs

[pushrax]

Per the package ID grammar, the suffix after # is ( pkgname | semver ), so a bare semver with no name@ prefix is valid for any source, not just path.

Cargo emits this form for git deps whose crate name matches the repo's last URL path segment (e.g. git+https://.../rayon#1.11.0), which previously panicked on the missing @.

Grammar reference:
https://doc.rust-lang.org/cargo/reference/pkgid-spec.html#package-id-specifications-1

[Shnatsel]

Thanks for the PR! Could you provide a command to reproduce the panic?

[pushrax]

unrelated to this PR, but clippy was failing in CI

[pushrax]

Could you provide a command to reproduce the panic?

Here's an example repro:

# Cargo.toml
[package]
name = "demo"
version = "0.1.0"
edition = "2021"

[dependencies]
rayon = { git = "https://github.com/rayon-rs/rayon" }

# add trivial main.rs

$ cargo +nightly auditable build --release       # CARGO_BUILD_SBOM not set: works
$ CARGO_BUILD_SBOM=true cargo +nightly auditable build --release -Z sbom
27.70 thread 'main' panicked at cargo-auditable/src/sbom_precursor.rs:195:18:
27.70 Package ID to have a name and version

[Shnatsel]

https://doc.rust-lang.org/nightly/cargo/reference/unstable.html#sbom documents that the ID should be fully qualified, with nothing elided. So this is an upstream Cargo bug.

I'm still happy to merge the workaround, but this also needs to be reported and fixed upstream.

[pushrax]

Is there a definition of “fully qualified” that’s part of the spec? The IDs here arguably are fully qualified in that there is zero ambiguity or missing information. No information has been lost, only duplicate information has been elided.

[Shnatsel]

Thanks for the PR! Looks good by and large, I appreciate the inclusion of tests too.

Just one nit, after that I'm happy to merge