Overview

The graph of a cargo project incorrectly reported workspace member packages as dependencies when they are not really dependencies so much as what is being scanned.

From a UI perspective, this was actually fixed by #1599 since the workspace members are all path dependencies and so get filtered already. But the project graph was still technically incorrect so this resolves that.

Acceptance criteria

Packages defined in a Cargo workspace are not reported as dependencies.

Testing plan

• Clone the test project and check out commit 164eae5e76cc3b17bd9d59f647e62b5b9b10785c. Run fossa analyze and confirm that generated graph is empty in the output json and that no dependencies are displayed in the UI.
• Clone sparkle and run an analyze. Check the generated graph's deps and confirm that none of the packages defined in the repo are present as dependencies.
• Unit tests updated to catch this bug. It was being masked by a call to pruneUnreachable which we can now remove.

Risks

Metrics

References

• ANE-512 Cargo analyzer reports library project as dependency of itself

Checklist

• I added tests for this PR's change (or explained in the PR description why tests don't make sense).
• If this PR introduced a user-visible change, I added documentation into docs/.
• If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
• If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an ## Unreleased section at the top.
• If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
• If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.