Skip to content

Unify Rust detection logic with SBOM mode, ownership mapping, and skip optimizations #1474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 23 commits into from
Oct 21, 2025
Merged

Unify Rust detection logic with SBOM mode, ownership mapping, and skip optimizations #1474

merged 23 commits into from
Oct 21, 2025

Conversation

@AMaini503
Copy link
Contributor

@AMaini503 AMaini503 commented Oct 20, 2025

Unified Rust Detector – SBOM, Fallback, and Ownership Enhancements

Summary

This PR introduces a unified Rust component detection model that consolidates SBOM, CLI, and Lock-based detection strategies into a single consistent implementation.
It also refactors supporting classes and introduces key performance and accuracy improvements.

Key Changes

1. Unified Detection Model

  • When *.cargo-sbom.json files are found, detection runs purely in SBOM mode (most accurate).
  • If no SBOMs are found, the detector operates in fallback mode:
    • Prefer cargo metadata on Cargo.toml.
    • If CLI is disabled or fails, fall back to equivalent Cargo.lock processing.
  • Ensures a single consistent pipeline while retaining accuracy and resilience.

2. Parser Refactoring

  • Extracted parsing logic for SBOM, CLI, and Lock files into separate interfaces for improved testability and maintainability.

3. RustContextMetadataBuilder Enhancements

  • SBOMs don’t natively indicate which Cargo.toml introduced each dependency.
  • This class now runs cargo metadata to map packages to their corresponding TOMLs.
  • Enables ownership attribution to user-owned source files.

4. Skip Optimizations

  • When cargo metadata is executed on a workspace root TOML, it inherently includes all member packages.
  • The detector now skips redundant member TOML processing, improving scan efficiency and avoiding duplicate work.

5. Unit Test Coverage

  • Added comprehensive tests for:
    • All Rust parsers (SBOM, CLI, Lock)
    • All Rust detectors
    • RustContextMetadataBuilder
  • Verified behavioral parity with legacy detectors.

Validation

Manual validation confirms the unified detector produces identical results to the legacy detectors in both modes:

Test Repo Old SBOM New SBOM (SBOM Mode) Old CLI New SBOM (Fallback Mode)
Repo1 151 151 404 404
Repo2 489 489 590 590

Aayush Maini added 20 commits October 20, 2025 10:01
Refactor parsing logic to separate classes
8d39d51
Fix RustCli UTs
ad07789
Add skeleton for RustComponentDetector
df5bf07
Compute locations for registrations in SBOM
08fc8b2
Add interface for rust cli parsing
bee435a
Add support to use cached metadata in rust cli parser
93ecd2b
Remove redudant normalization of the paths
775643b
Use ownership map in fallback mode as well
725b8eb
Copy new detector logic into existing RustSbomDetector
7ff9692
Check parentId in graph before adding parent child edge
54062db
Use normalized path in logs
fe9d6af
Fix rust cli detector UTs
5c27756
Extract all rust parsers into interfaces
35c1c59
Fix rust UTs
bc6a7b2
Add UTs for rust parsers
50706b6
Respect DisableRustCli flag in RustMetadataContextBuilder
4197ea2
Add UTs for RustMetadataContextBuilder
c47ac7e
Add UTs for RustSbomDetector
b7dbfcb
Add dependency edges in SBOM mode as well
b9124a6
Fix sbom parser UT
89c4967
@AMaini503 AMaini503 requested a review from a team as a code owner October 20, 2025 22:07
@codecov
Copy link

codecov bot commented Oct 20, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 97.86804% with 95 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.9%. Comparing base (cf8fa35) to head (9c5fa0a).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
...Detection.Detectors.Tests/RustSbomDetectorTests.cs 96.8% 6 Missing and 23 partials ⚠️
...ponentDetection.Detectors/rust/RustSbomDetector.cs 92.8% 8 Missing and 14 partials ⚠️
...tDetection.Detectors/rust/Parsers/RustCliParser.cs 93.3% 11 Missing and 4 partials ⚠️
...Detection.Detectors/rust/Parsers/RustSbomParser.cs 92.0% 11 Missing and 3 partials ⚠️
...tion.Detectors/rust/Parsers/RustCargoLockParser.cs 97.2% 4 Missing ⚠️
...ntDetection.Detectors.Tests/RustSbomParserTests.cs 99.4% 0 Missing and 4 partials ⚠️
...ction.Detectors/rust/RustMetadataContextBuilder.cs 97.8% 2 Missing and 1 partial ⚠️
...ection.Detectors.Tests/RustCargoLockParserTests.cs 99.6% 0 Missing and 2 partials ⚠️
...mponentDetection.Detectors/rust/RustCliDetector.cs 96.7% 1 Missing ⚠️
...Detectors.Tests/RustMetadataContextBuilderTests.cs 99.7% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##            main   #1474     +/-   ##
=======================================
+ Coverage   89.8%   90.9%   +1.0%     
=======================================
  Files        413     423     +10     
  Lines      33117   37163   +4046     
  Branches    2047    2228    +181     
=======================================
+ Hits       29767   33798   +4031     
+ Misses      2935    2922     -13     
- Partials     415     443     +28

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

grvillic
grvillic reviewed Oct 21, 2025
View reviewed changes
@github-actions
Copy link

github-actions bot commented Oct 21, 2025
edited
Loading

👋 Hi! It looks like you modified some files in the Detectors folder.
You may need to bump the detector versions if any of the following scenarios apply:

  • The detector detects more or fewer components than before
  • The detector generates different parent/child graph relationships than before
  • The detector generates different devDependencies values than before

If none of the above scenarios apply, feel free to ignore this comment 🙂

@AMaini503 AMaini503 merged commit ae34c34 into main Oct 21, 2025
22 of 25 checks passed
@AMaini503 AMaini503 deleted the user/aamaini/2322846 branch October 21, 2025 19:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@grvillic grvillic grvillic approved these changes

@FernandoRojo FernandoRojo Awaiting requested review from FernandoRojo FernandoRojo is a code owner automatically assigned from microsoft/ose-component-detection-maintainers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AMaini503 @grvillic