Fix: Correct direct vs transitive dependency classification in Cargo Lockfile Detector

detectable/src/main/java/com/blackduck/integration/detectable/detectables/cargo/CargoExtractor.java

@@ -16,6 +16,7 @@
 
 import com.blackduck.integration.detectable.detectable.util.EnumListFilter;
 import com.blackduck.integration.detectable.detectables.cargo.data.CargoLockPackageData;
+import com.blackduck.integration.detectable.util.NameOptionalVersion;
 import org.apache.commons.io.FileUtils;
 import org.jetbrains.annotations.Nullable;
 
@@ -54,6 +55,9 @@ public Extraction extract(File cargoLockFile, @Nullable File cargoTomlFile, Carg
         boolean exclusionEnabled = isDependencyExclusionEnabled(cargoDetectableOptions);
         String cargoTomlContents = null;
 
+        Set<NameVersion> resolvedRootDependencies = new HashSet<>();
+        Map<String, List<CargoLockPackageData>> packageLookupMap = indexPackagesByName(filteredPackages);
+
         if(cargoTomlFile == null && exclusionEnabled) {
             return new Extraction.Builder()
                 .failure("Cargo.toml file is required to exclude dependencies, but was not provided.")
@@ -62,19 +66,22 @@ public Extraction extract(File cargoLockFile, @Nullable File cargoTomlFile, Carg
 
         if (cargoTomlFile != null) {
             cargoTomlContents = FileUtils.readFileToString(cargoTomlFile, StandardCharsets.UTF_8);
-        }
 
-        if (cargoTomlFile != null && exclusionEnabled) {
-            Set<NameVersion> dependenciesToInclude = cargoTomlParser.parseDependenciesToInclude(
-                    cargoTomlContents, cargoDetectableOptions.getDependencyTypeFilter());
-            filteredPackages = includeDependencies(cargoLockPackageDataList, dependenciesToInclude);
+            EnumListFilter<CargoDependencyType> filter = null;
+            if (exclusionEnabled) {
+                filter = cargoDetectableOptions.getDependencyTypeFilter();
+            }
+
+            Set<NameVersion> dependenciesToInclude = cargoTomlParser.parseDependenciesToInclude(cargoTomlContents, filter);
+            filteredPackages = includeDependencies(cargoLockPackageDataList, dependenciesToInclude, resolvedRootDependencies, packageLookupMap);
         }
 
         List<CargoLockPackage> packages = filteredPackages.stream()
             .map(cargoLockPackageDataTransformer::transform)
             .collect(Collectors.toList());
+        List<CargoLockPackage> resolvedPackages = resolveDependencyVersions(packages, packageLookupMap);
 
-        DependencyGraph graph = cargoLockPackageTransformer.transformToGraph(packages);
+        DependencyGraph graph = cargoLockPackageTransformer.transformToGraph(resolvedPackages, resolvedRootDependencies);
 
         Optional<NameVersion> projectNameVersion = Optional.empty();
         if (cargoTomlFile != null) {
@@ -97,14 +104,13 @@ private boolean isDependencyExclusionEnabled(CargoDetectableOptions options) {
         return filter != null && !filter.shouldIncludeAll();
     }
 
-
     private List<CargoLockPackageData> includeDependencies(
             List<CargoLockPackageData> packages,
-            Set<NameVersion> dependenciesToInclude
+            Set<NameVersion> dependenciesToInclude,
+            Set<NameVersion> resolvedRootDependencies,
+            Map<String, List<CargoLockPackageData>> packageLookupMap
     ) {
-
-        Map<String, List<CargoLockPackageData>> packageLookupMap = indexPackagesByName(packages); // Create lookup map (multi-map) for each name
-        processTransitiveDependenciesForInclusion(dependenciesToInclude, packageLookupMap); // Collect all transitive dependencies to include
+        processTransitiveDependenciesForInclusion(dependenciesToInclude, packageLookupMap, resolvedRootDependencies); // Collect all transitive dependencies to include
         return filterPackagesByInclusion(packages, dependenciesToInclude); // Only keep direct and transitive dependencies
     }
 
@@ -116,28 +122,37 @@ private Map<String, List<CargoLockPackageData>> indexPackagesByName(List<CargoLo
 
     private void processTransitiveDependenciesForInclusion(
         Set<NameVersion> dependenciesToInclude,
-        Map<String, List<CargoLockPackageData>> packageLookupMap
+        Map<String, List<CargoLockPackageData>> packageLookupMap,
+        Set<NameVersion> resolvedRootDependenciesOut
     ) {
 
         Set<NameVersion> resolvedRootDependencies = resolveRootDependencies(dependenciesToInclude, packageLookupMap);
-        dependenciesToInclude.clear();
-        dependenciesToInclude.addAll(resolvedRootDependencies);
 
-        Deque<NameVersion> queue = new ArrayDeque<>(dependenciesToInclude);
+        // Preserve resolved root dependencies
+        resolvedRootDependenciesOut.addAll(resolvedRootDependencies);
+
+        // Copy to avoid modifying the original root dependencies
+        Set<NameVersion> allDependenciesToInclude = new HashSet<>(resolvedRootDependencies);
+        Deque<NameVersion> queue = new ArrayDeque<>(resolvedRootDependencies);
+
         while (!queue.isEmpty()) {
             NameVersion current = queue.pop();
             CargoLockPackageData currentPkg = findPackageByNameVersion(current, packageLookupMap);
             if (currentPkg != null) {
                 currentPkg.getDependencies().ifPresent(dependencies -> {
                     for (String depStr : dependencies) {
                         NameVersion nameVersion = extractPackageNameVersion(depStr, packageLookupMap);
-                        if (nameVersion != null && dependenciesToInclude.add(nameVersion)) {
+                        if (nameVersion != null && allDependenciesToInclude.add(nameVersion)) {
                             queue.add(nameVersion);
                         }
                     }
                 });
             }
         }
+
+        // Mutate dependenciesToInclude so the rest of your pipeline still works
+        dependenciesToInclude.clear();
+        dependenciesToInclude.addAll(allDependenciesToInclude);
     }
 
     private Set<NameVersion> resolveRootDependencies(
@@ -158,6 +173,30 @@ private Set<NameVersion> resolveRootDependencies(
         return resolvedRootDependencies;
     }
 
+    private List<CargoLockPackage> resolveDependencyVersions(
+            List<CargoLockPackage> packages,
+            Map<String, List<CargoLockPackageData>> packageLookupMap
+    ) {
+        List<CargoLockPackage> resolvedPackages = new ArrayList<>();
+        for (CargoLockPackage pkg : packages) {
+            List<NameOptionalVersion> resolvedDependencies = new ArrayList<>();
+            for (NameOptionalVersion dep : pkg.getDependencies()) {
+                if (!dep.getVersion().isPresent()) {
+                    NameVersion resolved = extractPackageNameVersion(dep.getName(), packageLookupMap);
+                    if (resolved != null) {
+                        resolvedDependencies.add(new NameOptionalVersion(resolved.getName(), resolved.getVersion()));
+                    } else {
+                        resolvedDependencies.add(dep);
+                    }
+                } else {
+                    resolvedDependencies.add(dep);
+                }
+            }
+            resolvedPackages.add(new CargoLockPackage(pkg.getPackageNameVersion(), resolvedDependencies));
+        }
+        return resolvedPackages;
+    }
+
     private List<CargoLockPackageData> filterPackagesByInclusion(
             List<CargoLockPackageData> packages,
             Set<NameVersion> dependenciesToInclude

detectable/src/main/java/com/blackduck/integration/detectable/detectables/cargo/parse/CargoTomlParser.java

@@ -48,9 +48,13 @@ public Set<NameVersion> parseDependenciesToInclude(String tomlFileContents, Enum
             NameVersion nameVersion = entry.getKey();
             EnumSet<CargoDependencyType> types = entry.getValue();
 
-            // Include the dependency only if at least one of its types is not excluded by the filter
-            boolean shouldBeIncluded = types.stream()
-                    .anyMatch(type -> !dependencyTypeFilter.shouldExclude(type));
+            boolean shouldBeIncluded;
+            if (dependencyTypeFilter == null) {
+                shouldBeIncluded = true; // No filter, include all
+            } else {
+                shouldBeIncluded = types.stream()
+                        .anyMatch(type -> !dependencyTypeFilter.shouldExclude(type));
+            }
 
             if (shouldBeIncluded) {
                 dependenciesToInclude.add(nameVersion);

detectable/src/main/java/com/blackduck/integration/detectable/detectables/cargo/transform/CargoLockPackageTransformer.java

@@ -1,6 +1,8 @@
 package com.blackduck.integration.detectable.detectables.cargo.transform;
 
 import java.util.List;
+import java.util.Optional;
+import java.util.Set;
 
 import com.blackduck.integration.bdio.graph.DependencyGraph;
 import com.blackduck.integration.bdio.graph.builder.LazyExternalIdDependencyGraphBuilder;
@@ -13,36 +15,40 @@
 import com.blackduck.integration.detectable.detectable.exception.DetectableException;
 import com.blackduck.integration.detectable.detectables.cargo.model.CargoLockPackage;
 import com.blackduck.integration.detectable.util.NameOptionalVersion;
+import com.blackduck.integration.util.NameVersion;
 
 public class CargoLockPackageTransformer {
     private final ExternalIdFactory externalIdFactory = new ExternalIdFactory();
     private final DependencyFactory dependencyFactory = new DependencyFactory(externalIdFactory);
 
-    public DependencyGraph transformToGraph(List<CargoLockPackage> lockPackages) throws MissingExternalIdException, DetectableException {
+    public DependencyGraph transformToGraph(
+            List<CargoLockPackage> lockPackages,
+            Set<NameVersion> rootDependencies) throws MissingExternalIdException, DetectableException {
         verifyNoDuplicatePackages(lockPackages);
 
         LazyExternalIdDependencyGraphBuilder graph = new LazyExternalIdDependencyGraphBuilder();
-        lockPackages.forEach(lockPackage -> {
-            String parentName = lockPackage.getPackageNameVersion().getName();
-            String parentVersion = lockPackage.getPackageNameVersion().getVersion();
-            LazyId parentId = LazyId.fromNameAndVersion(parentName, parentVersion);
-            Dependency parentDependency = dependencyFactory.createNameVersionDependency(Forge.CRATES, parentName, parentVersion);
+        for (CargoLockPackage lockPackage : lockPackages) {
+            String name = lockPackage.getPackageNameVersion().getName();
+            String version = lockPackage.getPackageNameVersion().getVersion();
+            LazyId id = LazyId.fromNameAndVersion(name, version);
+            Dependency dependency = dependencyFactory.createNameVersionDependency(Forge.CRATES, name, version);
 
-            graph.addChildToRoot(parentId);
-            graph.setDependencyInfo(parentId, parentDependency.getName(), parentDependency.getVersion(), parentDependency.getExternalId());
-            graph.setDependencyAsAlias(parentId, LazyId.fromName(parentName));
+            // Root dependencies empty means that Cargo.toml was not used, so we add all packages as root.
+            // If rootDependencies is not empty, we only add the package if it is in the set.
+            if (rootDependencies.isEmpty() || rootDependencies.contains(new NameVersion(name, version))) {
+                graph.addChildToRoot(id);
+            }
 
-            lockPackage.getDependencies().forEach(childPackage -> {
-                if (childPackage.getVersion().isPresent()) {
-                    LazyId childId = LazyId.fromNameAndVersion(childPackage.getName(), childPackage.getVersion().get());
-                    graph.addChildWithParent(childId, parentId);
-                } else {
-                    LazyId childId = LazyId.fromName(childPackage.getName());
-                    graph.addChildWithParent(childId, parentId);
-                }
-            });
-        });
+            graph.setDependencyInfo(id, dependency.getName(), dependency.getVersion(), dependency.getExternalId());
+            graph.setDependencyAsAlias(id, LazyId.fromName(name));
 
+            for (NameOptionalVersion child : lockPackage.getDependencies()) {
+                Optional<String> optionalVersion = child.getVersion();
+                LazyId childId = optionalVersion.map(s -> LazyId.fromNameAndVersion(child.getName(), s))
+                        .orElseGet(() -> LazyId.fromName(child.getName()));
+                graph.addChildWithParent(childId, id);
+            }
+        }
         return graph.build();
     }
 
@@ -60,5 +66,4 @@ private void verifyNoDuplicatePackages(List<CargoLockPackage> lockPackages) thro
             }
         }
     }
-
 }

detectable/src/test/java/com/blackduck/integration/detectable/detectables/cargo/functional/CargoLockDetectableTest.java

@@ -25,7 +25,10 @@ protected void setup() throws IOException {
             Paths.get("Cargo.toml"),
             "[package]",
             "name        = \"cargo-audit\"",
-            "version     = \"0.12.0\""
+            "version     = \"0.12.0\"",
+            "",
+            "[dependencies]",
+            "abscissa_core = \"0.5.2\""
         );
 
         addFile(
@@ -74,10 +77,6 @@ public void assertExtraction(@NotNull Extraction extraction) {
         graphAssert.hasParentChildRelationship("abscissa_core", "0.5.2", "backtrace", "0.3.46");
         graphAssert.hasParentChildRelationship("abscissa_derive", "0.5.0", "darling", "0.10.2");
 
-        graphAssert.hasRootDependency("abscissa_derive", "0.5.0");
-        graphAssert.hasRootDependency("backtrace", "0.3.46");
-        graphAssert.hasRootDependency("darling", "0.10.2");
-
-        graphAssert.hasRootSize(4);
+        graphAssert.hasRootSize(1);
     }
 }

detectable/src/test/java/com/blackduck/integration/detectable/detectables/cargo/transform/CargoLockPackageTransformerTest.java

@@ -2,9 +2,6 @@
 
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
 
 import org.junit.jupiter.api.Test;
 
@@ -19,6 +16,12 @@
 import com.blackduck.integration.detectable.util.graph.NameVersionGraphAssert;
 import com.blackduck.integration.util.NameVersion;
 
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
 public class CargoLockPackageTransformerTest {
 
     @Test
@@ -27,7 +30,12 @@ public void testParsesNamesAndVersionsSimple() throws DetectableException, Missi
         input.add(createPackage("test1", "1.0.0"));
         input.add(createPackage("test2", "2.0.0"));
         CargoLockPackageTransformer cargoLockPackageTransformer = new CargoLockPackageTransformer();
-        DependencyGraph graph = cargoLockPackageTransformer.transformToGraph(input);
+
+        Set<NameVersion> rootDependencies = new HashSet<>();
+        rootDependencies.add(new NameVersion("test1", "1.0.0"));
+        rootDependencies.add(new NameVersion("test2", "2.0.0"));
+
+        DependencyGraph graph = cargoLockPackageTransformer.transformToGraph(input, rootDependencies);
 
         NameVersionGraphAssert graphAssert = new NameVersionGraphAssert(Forge.CRATES, graph);
         graphAssert.hasRootSize(2);
@@ -41,9 +49,13 @@ public void multiplePackageDefinitionsTest() {
         input.add(createPackage("child1", "version1"));
         input.add(createPackage("child1", "version2"));
         input.add(createPackage("parent1", "anything", new NameOptionalVersion("child1")));
+
+        Set<NameVersion> rootDependencies = new HashSet<>();
+        rootDependencies.add(new NameVersion("parent1", "anything"));
+
         CargoLockPackageTransformer cargoLockPackageTransformer = new CargoLockPackageTransformer();
 
-        assertThrows(DetectableException.class, () -> cargoLockPackageTransformer.transformToGraph(input));
+        assertThrows(DetectableException.class, () -> cargoLockPackageTransformer.transformToGraph(input, rootDependencies));
     }
 
     @Test
@@ -56,7 +68,13 @@ public void testCorrectNumberOfRootDependencies() throws DetectableException, Mi
         input.add(createPackage("dep1", "0.5.0"));
         input.add(createPackage("dep2", "0.6.0"));
         CargoLockPackageTransformer cargoLockPackageTransformer = new CargoLockPackageTransformer();
-        DependencyGraph graph = cargoLockPackageTransformer.transformToGraph(input);
+
+        Set<NameVersion> rootDependencies = new HashSet<>();
+        rootDependencies.add(new NameVersion("test1", "1.0.0"));
+        rootDependencies.add(new NameVersion("dep1", "0.5.0"));
+        rootDependencies.add(new NameVersion("dep2", "0.6.0"));
+
+        DependencyGraph graph = cargoLockPackageTransformer.transformToGraph(input, rootDependencies);
 
         NameVersionGraphAssert graphAssert = new NameVersionGraphAssert(Forge.CRATES, graph);
         graphAssert.hasRootDependency("test1", "1.0.0");

detectable/src/test/java/com/blackduck/integration/detectable/detectables/maven/unit/MavenComplexOutputTest.java

@@ -1,6 +1,7 @@
 package com.blackduck.integration.detectable.detectables.maven.unit;
 
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 
@@ -14,7 +15,7 @@
 import com.blackduck.integration.detectable.detectables.maven.cli.MavenParseResult;
 import com.blackduck.integration.detectable.util.graph.NameVersionGraphAssert;
 
-public class MavenComplexOutputTest {
+class MavenComplexOutputTest {
 
     private ExternalIdFactory externalIdFactory;
     private MavenCodeLocationPackager packager;
@@ -28,7 +29,7 @@ private enum TestCase {
     }
 
     private List<String> getInputHeader() {
-        return new ArrayList<>(List.of(
+        return new ArrayList<>(Arrays.asList(
             "[INFO] Reactor Build Order:",
             "[INFO] ",
             "[INFO] generic-parent                                                     [pom]",
@@ -62,23 +63,23 @@ private List<String> getInput(TestCase testCase) {
         List<String> input = getInputHeader();
         switch(testCase) {
             case IDETECT3228CASE1:
-                input.addAll(List.of(
+                input.addAll(Arrays.asList(
                     "7450 [main] [INFO] com.blackducksoftware.integration:hub-teamcity-common:jar:3.2.0-SNAPSHOT:compile",
                     "7509 [main] [INFO] +- com.blackducksoftware.integration:hub-common:jar:13.1.2:compile",
                     "7560 [main] [INFO] |  +- com.blackducksoftware.integration:hub-common-rest:jar:2.1.3:compile",
                     "7638 [main] [INFO] |  |  +- com.blackducksoftware.integration:integration-common:jar:6.0.2:compile"
                 ));
                 break;
             case IDETECT3228CASE2:
-                input.addAll(List.of(
+                input.addAll(Arrays.asList(
                     "7450 [main] [INFO] com.blackducksoftware.integration:hub-teamcity-common:jar:3.2.0-SNAPSHOT |com.blackducksoftware.integration:hub-teamcity-common|",
                     "7509 [main] [INFO] +- com.blackducksoftware.integration:hub-common:jar:13.1.2:compile |com.blackducksoftware.integration:hub-teamcity-common|",
                     "7560 [main] [INFO] |  +- com.blackducksoftware.integration:hub-common-rest:jar:2.1.3:compile |com.blackducksoftware.integration:hub-teamcity-common|",
                     "7638 [main] [INFO] |  |  +- com.blackducksoftware.integration:integration-common:jar:6.0.2:compile |com.blackducksoftware.integration:hub-teamcity-common|"
                 ));
                 break;
             default:
-                input.addAll(List.of(
+                input.addAll(Arrays.asList(
                     "7450 [main] [INFO] com.blackducksoftware.integration:hub-teamcity-common:jar:3.2.0-SNAPSHOT",
                     "7509 [main] [INFO] +- com.blackducksoftware.integration:hub-common:jar:13.1.2:compile",
                     "7560 [main] [INFO] |  +- com.blackducksoftware.integration:hub-common-rest:jar:2.1.3:compile",

documentation/src/main/markdown/currentreleasenotes.md

@@ -30,7 +30,7 @@
 
 ### Resolved issues
 
-* 
+* (IDETECT-4746) – Fixed incorrect labeling of transitive dependencies as direct in the Cargo Lockfile Detector.
 
 ### Dependency updates