Skip to content

Fix Cargo version parsing for workspace inheritance syntax #1614

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
zahidblackduck wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix Cargo version parsing for workspace inheritance syntax #1614

zahidblackduck wants to merge 2 commits into from

Conversation

@zahidblackduck
Copy link
Collaborator

@zahidblackduck zahidblackduck commented Dec 4, 2025
edited
Loading

JIRA Ticket

IDETECT-4925

Description

Both Cargo detectors were failing to parse name and version from Cargo projects using workspace inheritance syntax (version.workspace = true). For example, a valid Cargo.toml,

[workspace]
members = ["extra-lib"]
resolver = "2"

[workspace.package]
version = "0.5.0"
edition = "2021"
repository = "https://github.com/example/repo"

[package]
name = "root-app"
version.workspace = true
edition.workspace = true
repository.workspace = true

The CargoTomlParser was incorrectly assuming version to be a string, but in cases of workspace inheritance, version is represented as a toml table. This caused TomlInvalidTypeException during dependency extraction.

Proposed Fix:

  • Updated CargoTomlParser to detect when version is a table and handle workspace inheritance correctly.
  • Added unit tests to validate parsing of Cargo.toml files with version.workspace = true.

Note: This is meant to be shipped with detect 11.2 release.

@zahidblackduck zahidblackduck self-assigned this Dec 4, 2025
devmehtabd
devmehtabd reviewed Dec 8, 2025
View reviewed changes
.../main/java/com/blackduck/integration/detectable/detectables/cargo/parse/CargoTomlParser.java

String name = packageTable.getString(NAME_KEY);
String version = null;
Object versionObj = packageTable.get(VERSION_KEY);
Copy link
Contributor

@devmehtabd devmehtabd Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do we want to do for conditions when versionObj is null, I have seen examples in python where version is not specified, do we have similar concept in Cargo?

Copy link
Collaborator Author

@zahidblackduck zahidblackduck Dec 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's an interesting question which I didn't think of earlier. I'll explore further whether there is any possibility of an version section being null and if so, then how cargo declares / handles this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devmehtabd devmehtabd devmehtabd left review comments

@dterrybd dterrybd Awaiting requested review from dterrybd

@shantyk shantyk Awaiting requested review from shantyk

@bd-samratmuk bd-samratmuk Awaiting requested review from bd-samratmuk

Assignees

@zahidblackduck zahidblackduck

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zahidblackduck @devmehtabd