Skip to content

[ANE-512] Fix Cargo analyzer reporting library as dependency of itself #1569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

[ANE-512] Fix Cargo analyzer reporting library as dependency of itself #1569

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
3dd1054
[ANE-512] Fix Cargo analyzer reporting library as dependency of itself
ryanlink Jul 29, 2025
b65219a
Update changelog for Cargo self-dependency fix
ryanlink Jul 29, 2025
0e483e7
[ANE-512] Update changelog for Cargo self-dependency fix
ryanlink Jul 29, 2025
7fad98f
Merge branch 'master' into fix/iss-679-cargo-self-dependency
ryanlink Jul 29, 2025
643494d
[ANE-512] Fix code formatting issues
ryanlink Jul 31, 2025
9e7b97c
Merge branch 'master' into fix/iss-679-cargo-self-dependency
ryanlink Aug 5, 2025
110976e
Merge branch 'master' into fix/iss-679-cargo-self-dependency
ryanlink Aug 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions Changelog.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# FOSSA CLI Changelog

## Unreleased

- cargo: Fix Cargo analyzer incorrectly reporting library projects as dependencies of themselves when they have no external dependencies ([#1569](https://github.com/fossas/fossa-cli/pull/1569))

## 3.10.14

- gradle: Do not report version constraints, version contraints are contained within an`DependencyResult`, filter out any constraints by checking [`isConstraint()`](https://docs.gradle.org/current/javadoc/org/gradle/api/artifacts/result/DependencyResult.html#isConstraint()). ([#1563](https://github.com/fossas/fossa-cli/pull/1563))
Expand Down
25 changes: 23 additions & 2 deletions src/Strategy/Cargo.hs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,10 +43,12 @@ import Data.Aeson.Types (
import Data.Bifunctor (bimap, first)
import Data.Foldable (for_, traverse_)
import Data.Functor (void)
import Data.List (find)
import Data.List.NonEmpty qualified as NonEmpty
import Data.Map.Strict qualified as Map
import Data.Maybe (catMaybes, fromMaybe, isJust)
import Data.Set (Set)
import Data.Set qualified as Set
import Data.String.Conversion (toString, toText)
import Data.Text (Text)
import Data.Text qualified as Text
Expand Down Expand Up @@ -76,7 +78,7 @@ import Effect.Grapher (
import Effect.ReadFS (ReadFS, doesFileExist, readContentsToml)
import Errata (Errata (..))
import GHC.Generics (Generic)
import Graphing (Graphing, stripRoot)
import Graphing (Graphing, shrink, stripRoot)
import Path (Abs, Dir, File, Path, mkRelFile, parent, parseRelFile, toFilePath, (</>))
import Text.Megaparsec (
Parsec,
Expand Down Expand Up @@ -406,10 +408,29 @@ addEdge node = do
edge parentId $ nodePkg dep

buildGraph :: CargoMetadata -> Graphing Dependency
buildGraph meta = stripRoot $
buildGraph meta = stripRoot . shrink isNotWorkspaceMember $
run . withLabeling toDependency $ do
traverse_ direct $ metadataWorkspaceMembers meta
traverse_ addEdge $ resolvedNodes $ metadataResolve meta
where
-- Create a set of workspace members that have no external dependencies
isolatedWorkspaceMembers = Set.fromList $ map packageKey $ filter hasNoDependencies $ metadataWorkspaceMembers meta
packageKey :: PackageId -> (Text, Text)
packageKey pkg = (pkgIdName pkg, pkgIdVersion pkg)

-- Check if a workspace member has no dependencies by looking at resolve nodes
hasNoDependencies :: PackageId -> Bool
hasNoDependencies pkgId =
case find (\node -> resolveNodeId node == pkgId) (resolvedNodes $ metadataResolve meta) of
Just node -> null (resolveNodeDeps node)
Nothing -> True -- If not found in resolve, assume no dependencies

-- Filter out isolated workspace members only
isNotWorkspaceMember :: Dependency -> Bool
isNotWorkspaceMember dep =
case dependencyVersion dep of
Just (CEq version) -> (dependencyName dep, version) `Set.notMember` isolatedWorkspaceMembers
_ -> True

-- | Custom Parsec type alias
type PkgSpecParser a = Parsec Void Text a
Expand Down
Loading