fix: handle package name format mismatch in dependency ignore logic

[soul2zimate]

fix: handle package name format mismatch in dependency ignore logic

fixes #309

[qodo-code-review]

Review Summary by Qodo

Handle package name format mismatch in dependency ignore

🐞 Bug fix

Walkthroughs

Description

• Handle package name format mismatch in dependency ignore logic
• Support both underscore and hyphen formats in crate names
• Check both original and normalized package name formats

Diagram

flowchart LR
  A["Dependency name<br/>with underscores"] -->|normalize| B["Replace underscores<br/>with hyphens"]
  A -->|check| C["ignoredDeps set"]
  B -->|check| C
  C -->|match found| D["Skip dependency"]
  C -->|no match| E["Process dependency"]

Loading

File Changes

1. src/main/java/io/github/guacsec/trustifyda/providers/CargoProvider.java 🐞 Bug fix +7/-1

Add package name format normalization for dependency filtering

• Enhanced shouldSkipDependency() method to handle package name format variations
• Added logic to normalize crate names by replacing underscores with hyphens
• Checks both original crate name and normalized format against ignored dependencies set
• Includes explanatory comment about crate name format handling

src/main/java/io/github/guacsec/trustifyda/providers/CargoProvider.java

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Possible NPE on dep.name 🐞 Bug ⛯ Reliability

Description

shouldSkipDependency now calls crateName.replace('_','-') without checking for null, so a
missing/invalid name field in cargo metadata will throw a NullPointerException and abort
dependency processing/SBOM creation.

Code

src/main/java/io/github/guacsec/trustifyda/providers/CargoProvider.java[R444-451]

+    // dep.name() returns the crate name (may have underscores)
+    String crateName = dep.name();
+    if (ignoredDeps.contains(crateName)) {
+      return true;
+    }
+    String packageNameFormat = crateName.replace('_', '-');
+    if (!crateName.equals(packageNameFormat) && ignoredDeps.contains(packageNameFormat)) {
      return true;

Evidence

CargoDep.name is a plain String record component populated via JSON deserialization (no
non-null/required enforcement in the model). The updated code dereferences it via replace(...),
and shouldSkipDependency is called from dependency-processing loops without being wrapped in a
try/catch, so an NPE will bubble up and break analysis.

src/main/java/io/github/guacsec/trustifyda/providers/CargoProvider.java[443-452]
src/main/java/io/github/guacsec/trustifyda/providers/rust/model/CargoDep.java[23-26]
src/main/java/io/github/guacsec/trustifyda/providers/CargoProvider.java[418-422]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`shouldSkipDependency` now dereferences `dep.name()` by calling `replace('_','-')`. If `name` is absent/null in the deserialized cargo metadata, this will throw a NullPointerException and abort SBOM generation.

### Issue Context
`CargoDep.name` is deserialized from external `cargo metadata` JSON into a plain `String` record component with no non-null/required enforcement. Call sites invoke `shouldSkipDependency` in dependency loops without catching exceptions.

### Fix Focus Areas
- src/main/java/io/github/guacsec/trustifyda/providers/CargoProvider.java[443-452]
- src/main/java/io/github/guacsec/trustifyda/providers/rust/model/CargoDep.java[23-26]

### Suggested change
In `shouldSkipDependency`:
- `String crateName = dep.name();`
- if `crateName == null || crateName.isBlank()` then `return false;` (or just skip the name-based checks)
- then run the existing ignore checks and depKinds logic as today.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more