Skip to content

Cargo virtual workspace: exhortignore patterns in member Cargo.toml files are not respected #374

New issue
New issue
Open
#375
Open
Cargo virtual workspace: exhortignore patterns in member Cargo.toml files are not respected#374
#375
Assignees
a-oren
@a-oren

Description

@a-oren
a-oren
opened on Mar 26, 2026

What happened?

When running stack analysis on a Cargo virtual workspace, # exhortignore / # trustify-da-ignore comments placed on dependencies inside a member's own Cargo.toml are silently ignored. Only the root workspace Cargo.toml is scanned for ignore patterns.

Please provide runtime information.

run on trustify-da-java-client-0.0.13-cli.jar

Relevant log output

_ test_vulnerability_analysis[cargo-cargo_virtual_workspace_with_exhortignore[stack]] _
[gw0] linux -- Python 3.11.2 /usr/bin/python3
test_vulnerability_analysis.py:86: in test_vulnerability_analysis
    pytest.fail(f"{a_name} and {b_name} clients produced different results:\n\n{diff}")
E   Failed: java and javascript clients produced different results:
E   
E   --- java
E   +++ javascript
E   @@ -1,68 +1,7 @@
E    {
E      "providers": {
E        "tpa1": {
E   -      "sources": {
E   -        "osv-github": {
E   -          "dependencies": [
E   -            {
E   -              "highestVulnerability": {
E   -                "cves": [
E   -                  "CVE-2024-58264"
E   -                ],
E   -                "cvssScore": 7.5,
E   -                "id": "CVE-2024-58264",
E   -                "severity": "HIGH",
E   -                "source": "osv-github",
E   -                "title": "The serde-json-wasm crate before 1.0.1 for Rust allows stack consumption via deeply nested JSON data.",
E   -                "unique": false
E   -              },
E   -              "ref": "pkg:cargo/crate-a@0.1.0",
E   -              "transitive": [
E   -                {
E   -                  "highestVulnerability": {
E   -                    "cves": [
E   -                      "CVE-2024-58264"
E   -                    ],
E   -                    "cvssScore": 7.5,
E   -                    "id": "CVE-2024-58264",
E   -                    "severity": "HIGH",
E   -                    "source": "osv-github",
E   -                    "title": "The serde-json-wasm crate before 1.0.1 for Rust allows stack consumption via deeply nested JSON data.",
E   -                    "unique": false
E   -                  },
E   -                  "issues": [
E   -                    {
E   -                      "cves": [
E   -                        "CVE-2024-58264"
E   -                      ],
E   -                      "cvssScore": 7.5,
E   -                      "id": "CVE-2024-58264",
E   -                      "severity": "HIGH",
E   -                      "source": "osv-github",
E   -                      "title": "The serde-json-wasm crate before 1.0.1 for Rust allows stack consumption via deeply nested JSON data.",
E   -                      "unique": false
E   -                    }
E   -                  ],
E   -                  "ref": "pkg:cargo/serde-json-wasm@1.0.0"
E   -                }
E   -              ]
E   -            }
E   -          ],
E   -          "summary": {
E   -            "critical": 0,
E   -            "dependencies": 1,
E   -            "direct": 0,
E   -            "high": 1,
E   -            "low": 0,
E   -            "medium": 0,
E   -            "recommendations": 0,
E   -            "remediations": 0,
E   -            "total": 1,
E   -            "transitive": 1,
E   -            "unscanned": 0
E   -          }
E   -        }
E   -      },
E   +      "sources": {},
E          "status": {
E            "code": 200,
E            "message": "OK",

How can this issue be reproduced?

No response

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions