Fix: Correct direct vs transitive dependency classification in Cargo Lockfile Detector

[zahidblackduck]

JIRA Ticket

IDETECT-4746

Description

This merge request fixes a bug in the Cargo Lockfile Detector where transitive dependencies were incorrectly identified as direct dependencies in the generated BOM.
This change ensures that only dependencies explicitly declared in Cargo.toml are marked as direct. All others are accurately classified as transitive.

Implementation Details

• The CargoExtractor has been updated to:

  • Parse direct dependencies from Cargo.toml
  • Resolve root dependencies separately before performing DFS to collect transitives
  • If Cargo.toml is not found, falls back to the previous implementation

• The transformToGraph(...) method in CargoLockPackageTransformer now:

  • Accepts a Set<NameVersion> of root dependencies
  • Adds only those as root nodes in the dependency graph
  • Correctly links transitive dependencies as children

Impact

• Ensures BOMs generated via the Cargo Lockfile Detector reflect accurate dependency relationships
• Reduces false positives where transitive packages were mistakenly marked as direct
• Improves reliability of policy evaluation and SBOM auditing in Rust projects scanned without the Cargo CLI

[Copilot]

Pull Request Overview

This PR fixes the classification of direct vs. transitive dependencies in the Cargo Lockfile Detector’s BOM by tracking only those declared in Cargo.toml as roots.

• The transformer now takes an explicit rootDependencies set and only marks those as root nodes.
• The extractor collects direct dependencies from Cargo.toml, resolves versions of unnamed deps, and passes the roots through to the transformer.
• Tests were updated to call the new two-argument transformToGraph and supply the expected root set.

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
detectable/src/test/java/.../CargoLockPackageTransformerTest.java	Updated imports and replaced single-arg transformToGraph calls with two-arg version, supplying roots.
detectable/src/main/java/.../CargoLockPackageTransformer.java	Changed transformToGraph signature to accept a Set<NameVersion> of roots and adjust root-node logic.
detectable/src/main/java/.../CargoTomlParser.java	Added a null-check around the dependency-type filter to include all when filter is null.
detectable/src/main/java/.../CargoExtractor.java	Gathered resolvedRootDependencies, resolved missing versions, and passed roots into the transformer.

Comments suppressed due to low confidence (3)

detectable/src/main/java/com/blackduck/integration/detectable/detectables/cargo/CargoExtractor.java:119

• [nitpick] The parameter resolvedRootDependenciesOut is not immediately clear. Rename it to something like rootDependenciesSink or simply rootDependencies to improve readability.

    private void processTransitiveDependenciesForInclusion(

detectable/src/test/java/com/blackduck/integration/detectable/detectables/cargo/transform/CargoLockPackageTransformerTest.java:34

• Add a test where rootDependencies is empty to verify the fallback behavior (all lockfile packages become roots) matches the previous one-argument logic.

        Set<NameVersion> rootDependencies = new HashSet<>();

detectable/src/main/java/com/blackduck/integration/detectable/detectables/cargo/transform/CargoLockPackageTransformer.java:38

• Avoid creating a new NameVersion object on each iteration for the contains check. Consider precomputing a map of (name, version) keys or using a canonical identifier to reduce object churn.

            if (rootDependencies.isEmpty() || rootDependencies.contains(new NameVersion(name, version))) {