[ANE-512] Fix Cargo analyzer reporting library as dependency of itself #1569
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The Cargo analyzer was incorrectly reporting library projects as dependencies of themselves when they had no external dependencies. This occurred because the buildGraph function treated all workspace members as direct dependencies without filtering out isolated workspace members from the final graph. The fix uses Graphing.shrink to filter out workspace members that have no external dependencies, while preserving workspace members that do have legitimate external dependencies. This maintains backward compatibility with existing workspace projects while fixing the self-dependency issue for isolated library projects. Fixes ISS-679 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
ryanlink
force-pushed
the
fix/iss-679-cargo-self-dependency
branch
from
b4c77aa to
0e483e7
Compare
- Fix import ordering in src/Strategy/Cargo.hs - Remove trailing whitespace - Addresses formatter-check CI failure 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This PR fixes a bug where the Cargo analyzer incorrectly reports library projects as dependencies of themselves when they have no external dependencies. The issue occurred because the
buildGraphfunction treated all workspace members as direct dependencies without filtering out isolated workspace members from the final dependency graph.This PR accomplishes the fix by using
Graphing.shrinkto selectively filter out workspace members that have no external dependencies, while preserving workspace members that do have legitimate external dependencies.Acceptance criteria
When users analyze Cargo projects that are library crates with no external dependencies, the dependency graph should now show zero dependencies instead of incorrectly showing the project as a dependency of itself.
For example, analyzing the
unemptylibrary project now correctly returns:{"graph":{"deps":[],"direct":[]}}Instead of the previous incorrect result:
{"graph":{"deps":[{"name":"unempty","version":"1.0.0"}]}}Testing plan
Reproduced the original issue:
git clone https://github.com/jssblck/unempty.git && cd unempty && git checkout 164eae5e76cc3b17bd9d59f647e62b5b9b10785cfossa analyze --output | head -1Verified the fix:
src/Strategy/Cargo.hsmake build-clifossa analyze --output | head -1"deps":[](zero dependencies)Ensured backward compatibility:
cabal test unit-tests --test-option="--match" --test-option="should build the correct graph"Code quality checks:
make lint(HLint passed)make fmt(Fourmolu passed with automatic fixes)Risks
The main risk area is ensuring the filtering logic correctly distinguishes between:
I've implemented this by checking if a workspace member has any dependencies in the resolve graph using
hasNoDependencies. Reviewers should verify this logic correctly handles edge cases and doesn't break existing workspace functionality.Metrics
This change fixes a functional bug rather than introducing new functionality, so no new metrics are needed. The fix can be validated by:
References
Checklist
docs/.docs/README.msand gave consideration to how discoverable or not my documentation is.Changelog.md. If this PR did not mark a release, I added my changes into an## Unreleasedsection at the top..fossa.ymlorfossa-deps.{json.yml}, I updateddocs/references/files/*.schema.jsonAND I have updated example files used byfossa initcommand. You may also need to update these if you have added/removed new dependency type (e.g.pip) or analysis target type (e.g.poetry).docs/references/subcommands/<subcommand>.md.