Skip to content

fix(cargo): resolve workspace-inherited license in Cargo.toml#486

Open
ruromero wants to merge 1 commit into
guacsec:mainfrom
ruromero:TC-4531
Open

fix(cargo): resolve workspace-inherited license in Cargo.toml#486
ruromero wants to merge 1 commit into
guacsec:mainfrom
ruromero:TC-4531

Conversation

@ruromero
Copy link
Copy Markdown
Collaborator

@ruromero ruromero commented May 20, 2026
edited by sourcery-ai Bot
Loading

Summary

  • Detect Cargo workspace license inheritance (license = { workspace = true }) via tomlj's get() method and resolve from workspace.package.license
  • Follows the existing version workspace resolution pattern in parseCargoToml()
  • Adds two new test cases: successful resolution and graceful null fallback

Fixes: TC-4528
Implements: TC-4531

Test plan

  • New test: workspace license inheritance resolves to "Apache-2.0"
  • New test: workspace inheritance with no license in workspace section returns null
  • All 4 CargoProviderLicenseTest tests pass (0 failures)
  • All 358 tests pass (3 pre-existing GoModulesMainModuleVersionTest failures unrelated to this change)
  • Spotless formatting applied

🤖 Generated with Claude Code

Summary by Sourcery

Handle Cargo workspace-inherited licenses when reading Cargo.toml manifests.

New Features:

  • Support reading licenses inherited from Cargo workspaces via the package license workspace setting.

Tests:

  • Add tests covering successful workspace license inheritance and null fallback when no workspace license is defined.

@ruromero @claude
fix(cargo): resolve workspace-inherited license in Cargo.toml
3b8fa90 
When a Cargo.toml uses `license = { workspace = true }`, the tomlj
library's getString() returns null because the value is an inline table,
not a string. The license is silently dropped from the SBOM.

Fix by using get() to retrieve the raw Object, checking instanceof
String for direct values, and resolving from workspace.package.license
when workspace inheritance is detected — following the existing version
resolution pattern in parseCargoToml().

Fixes: TC-4528

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sourcery-ai
Copy link
Copy Markdown
Contributor

sourcery-ai Bot commented May 20, 2026
edited
Loading

Reviewer's Guide

Adds support for resolving Cargo workspace-inherited licenses from Cargo.toml using tomlj’s generic get/boolean accessors, mirroring existing workspace version resolution logic, and covers the behavior with new unit tests and manifest fixtures.

File-Level Changes

Change Details Files
Resolve Cargo workspace-inherited license values in Cargo.toml instead of treating them as null.
  • Introduce constants for package and workspace license TOML paths to mirror existing version resolution constants.
  • Change license extraction to first read the generic license value, handle plain string values directly, and if the value is a table, check the corresponding package.license.workspace boolean.
  • When license.workspace is true, read workspace.package.license and pass that resolved value to LicenseUtils.getLicense.
  • Preserve null behavior when no license is present or workspace inheritance is specified but the workspace license field is missing.
 src/main/java/io/github/guacsec/trustifyda/providers/CargoProvider.java
Add tests and manifest fixtures to validate workspace license inheritance behavior and null fallback.
  • Add a test verifying that a workspace-inherited license resolves to the workspace package license string.
  • Add a test verifying that workspace inheritance without a workspace license results in a null license.
  • Add two Cargo.toml fixtures modeling a workspace license inheritance case and a workspace section without a license field.
 src/test/java/io/github/guacsec/trustifyda/providers/CargoProviderLicenseTest.java
src/test/resources/tst_manifests/cargo/license/cargo_workspace_license_inheritance/Cargo.toml
src/test/resources/tst_manifests/cargo/license/cargo_workspace_license_inheritance_no_license/Cargo.toml
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai Bot reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sourcery-ai sourcery-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • The new license resolution logic in readLicenseFromToml would be easier to follow if you mirrored the existing version-resolution pattern more closely (e.g., extract a small helper that encapsulates the workspace lookup rather than inlining the conditional logic here).
  • Consider tightening the type checks around licenseValue by explicitly handling only the expected TOML types (e.g., TomlTable vs. other non-String values) so that any unexpected structure in package.license fails fast instead of silently falling through.
Prompt for AI Agents 
Please address the comments from this code review:

## Overall Comments
- The new license resolution logic in `readLicenseFromToml` would be easier to follow if you mirrored the existing version-resolution pattern more closely (e.g., extract a small helper that encapsulates the workspace lookup rather than inlining the conditional logic here).
- Consider tightening the type checks around `licenseValue` by explicitly handling only the expected TOML types (e.g., `TomlTable` vs. other non-String values) so that any unexpected structure in `package.license` fails fast instead of silently falling through.
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@ruromero ruromero requested a review from a-oren May 21, 2026 12:32
@ruromero
Copy link
Copy Markdown
Collaborator Author

ruromero commented May 21, 2026

Verification Report for TC-4531 (commit 3b8fa90)

Check Result Details
Review Feedback N/A No inline review comment threads
Root-Cause Investigation N/A No sub-tasks created
Scope Containment WARN PR has 2 extra test files (test class + negative fixture); all task-required files present
Diff Size PASS 50 lines across 4 files; proportionate to task scope
Commit Traceability WARN Commit references TC-4528 (parent bug) but not TC-4531 (implementation task)
Sensitive Patterns PASS No secrets or credentials detected
CI Status PASS All 45 CI checks pass
Acceptance Criteria PASS All 4 criteria satisfied — workspace license resolves correctly, SBOM populated, existing tests pass, null fallback works
Test Quality WARN New test methods have Javadoc; 2 pre-existing methods in same class lack it
Test Change Classification ADDITIVE Only adds 2 new test methods and 2 fixture files
Verification Commands PASS mvn spotless:apply clean, all Cargo tests pass (27/27), coverage thresholds met

Overall: WARN

Scope Containment (WARN): PR includes CargoProviderLicenseTest.java (test class with new tests) and cargo_workspace_license_inheritance_no_license/Cargo.toml (negative test fixture) which were not listed in the task spec's Files to Create/Modify. Both are justified test additions that strengthen coverage.

Commit Traceability (WARN): The commit trailer references Fixes: TC-4528 (the parent bug) but does not reference TC-4531 (the implementation task). Consider adding the task ID to the PR description or a commit trailer for traceability.

Test Quality (WARN): The 2 new test methods have proper /** */ Javadoc. The 2 pre-existing test methods in CargoProviderLicenseTest.java lack Javadoc, creating inconsistency within the class. This is not a regression introduced by this PR.

This comment was AI-generated by sdlc-workflow/verify-pr v0.9.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@a-oren a-oren Awaiting requested review from a-oren

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ruromero