feat: use source as vcs url

barblin · barblin · commit 0acdceb422d6 · 2025-02-11T22:03:54.000+01:00
Signed-off-by: Johannes Özkan Preisinger &lt;johannes.preisinger@dynatrace.com&gt;
diff --git a/cargo-cyclonedx/src/generator.rs b/cargo-cyclonedx/src/generator.rs
@@ -399,6 +399,34 @@ impl SbomGenerator {
                     e
                 ),
             }
+        } else {
+            if let Some(source) = &package.source {
+                if !source.is_crates_io() {
+                    match source.repr.split_once('+') {
+                        Some(("git", git_path)) => {
+                            let repo_url = git_path
+                                .split_once('#')
+                                .map_or(git_path, |(first, _)| first);
+                            match Uri::try_from(repo_url.to_string()) {
+                                Ok(uri) => references
+                                    .push(ExternalReference::new(ExternalReferenceType::Vcs, uri)),
+                                Err(e) => log::warn!(
+                                    "Package {} has an invalid repository URI ({}): {} ",
+                                    package.name,
+                                    source,
+                                    e
+                                ),
+                            }
+                        }
+                        Some((source, _path)) => log::warn!("Unknown source kind {}", source),
+                        None => {
+                            log::warn!(
+                                "No '+' separator found in source field from `cargo metadata`"
+                            )
+                        }
+                    }
+                }
+            }
         }
 
         if !references.is_empty() {
@@ -1041,6 +1069,8 @@ impl From<std::io::Error> for SbomWriterError {
 mod test {
     use super::*;
 
+    const GIT_PACKAGE_JSON: &str = include_str!("../tests/fixtures/git_package.json");
+
     #[test]
     fn it_should_parse_author_and_email() {
         let actual = SbomGenerator::parse_author("First Last <user@domain.tld>")
@@ -1079,4 +1109,72 @@ mod test {
 
         assert_eq!(actual, expected);
     }
+
+    #[test]
+    fn it_should_get_external_references_from_source() {
+        let mut git_package: Package = serde_json::from_str(GIT_PACKAGE_JSON).unwrap();
+        git_package.repository = None;
+
+        let actual = SbomGenerator::get_external_references(&git_package)
+            .expect("Failed to parse external reference");
+
+        let mut expected = Vec::new();
+        expected.push(ExternalReference::new(
+            ExternalReferenceType::Vcs,
+            Uri::new("https://github.com/rust-secure-code/cargo-auditable.git"),
+        ));
+
+        assert_eq!(actual, ExternalReferences(expected));
+    }
+
+    #[test]
+    fn it_should_get_external_references_from_source_without_digest() {
+        let mut git_package: Package = serde_json::from_str(GIT_PACKAGE_JSON).unwrap();
+        git_package.repository = None;
+        git_package.source = Some(cargo_metadata::Source {
+            repr: "git+https://github.com/rust-secure-code/cargo-auditable.git".to_string(),
+        });
+
+        let actual = SbomGenerator::get_external_references(&git_package)
+            .expect("Failed to parse external reference");
+
+        let mut expected = Vec::new();
+        expected.push(ExternalReference::new(
+            ExternalReferenceType::Vcs,
+            Uri::new("https://github.com/rust-secure-code/cargo-auditable.git"),
+        ));
+
+        assert_eq!(actual, ExternalReferences(expected));
+    }
+
+    #[test]
+    fn it_should_not_get_external_references_from_unidentifiable_source() {
+        let mut git_package: Package = serde_json::from_str(GIT_PACKAGE_JSON).unwrap();
+        git_package.repository = None;
+        git_package.source = Some(cargo_metadata::Source {
+            repr: "https://github.com/rust-secure-code/cargo-auditable.git".to_string(),
+        });
+
+        assert_eq!(SbomGenerator::get_external_references(&git_package), None);
+    }
+
+    #[test]
+    fn it_should_not_get_external_references_from_non_uri_source() {
+        let mut git_package: Package = serde_json::from_str(GIT_PACKAGE_JSON).unwrap();
+        git_package.repository = None;
+        git_package.source = Some(cargo_metadata::Source {
+            repr: "not a uri".to_string(),
+        });
+
+        assert_eq!(SbomGenerator::get_external_references(&git_package), None);
+    }
+
+    #[test]
+    fn it_should_not_get_external_reference_from_invalid_source_uri() {
+        let mut git_package: Package = serde_json::from_str(GIT_PACKAGE_JSON).unwrap();
+        git_package.repository = None;
+        git_package.source = None;
+
+        assert_eq!(SbomGenerator::get_external_references(&git_package), None);
+    }
 }
diff --git a/cargo-cyclonedx/src/purl.rs b/cargo-cyclonedx/src/purl.rs
@@ -66,7 +66,7 @@ pub fn get_purl(
 
 /// Converts the `cargo metadata`'s `source` field to a valid PURL `vcs_url`.
 /// Assumes that the source kind is `git`, panics if it isn't.
-fn source_to_vcs_url(source: &cargo_metadata::Source) -> String {
+pub fn source_to_vcs_url(source: &cargo_metadata::Source) -> String {
     assert!(source.repr.starts_with("git+"));
     source.repr.replace('#', "@")
 }

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ pub fn get_purl(`
`66`	`66`
`67`	`67`	/// Converts the `cargo metadata`'s `source` field to a valid PURL `vcs_url`.
`68`	`68`	/// Assumes that the source kind is `git`, panics if it isn't.
`69`		`-fn source_to_vcs_url(source: &cargo_metadata::Source) -> String {`
	`69`	`+pub fn source_to_vcs_url(source: &cargo_metadata::Source) -> String {`
`70`	`70`	`assert!(source.repr.starts_with("git+"));`
`71`	`71`	`source.repr.replace('#', "@")`
`72`	`72`	`}`