Support Cargo Non-Flat Dependency Graph Using cargo tree

[zahidblackduck]

Ticket

IDETECT-4634

Description

This MR introduces a build-based Cargo detector that utilizes the cargo tree command to extract direct and transitive dependency relationships, addressing the previous limitation where Cargo dependencies were detected as a flat list.

The new implementation ensures backward compatibility by falling back to the existing build-less detector if cargo tree is unavailable. Additionally, it introduces support for the detect.cargo.path property, allowing users to specify a custom Cargo build tool path.

Key Changes:

• New CargoCliDetectable Class:
  • Uses cargo tree to extract hierarchical dependency relationships.
• Dependency Graph Transformation:
  • Implements CargoDependencyGraphTransformer to parse cargo tree output into a DependencyGraph.
• Backward Compatibility:
  • Ensures build-less detection continues to work.
  • Falls back to the existing detector if cargo tree is unavailable.
• New Property:
  • Adds detect.cargo.path to specify the Cargo build tool path.

Acceptance Criteria Met:

• Build-based Cargo detection using cargo tree.
• Backward compatibility with the existing build-less detector.
• Uses Cargo.toml as the required file.
• Fallback to build-less detection when necessary.
• Support for detect.cargo.path to configure the Cargo executable path.

[dterrybd]

@zahidblackduck I think the code is looking great. The only thing I can currently think of is perhaps for the CLI Detectable class. When we are deciding if things are extractable and are looking for the cargo executable it might make sense to also confirm that the version of cargo we have is capable of running the tree command. Also, once you finish manual testing it would be great to add some junits.

[dterrybd]

This feels like a comment that came over from a cut and paste?

[zahidblackduck]

Oh, I see. I'll refactor. Thanks for pointing this out.

[cpottsbd]

Suggestion for a few tweaks to add links to further documentation:

* Cargo CLI Detector, leveraging `cargo tree` to extract direct and transitive dependencies, improving accuracy over the previous flat-list detection. This build-based detector is triggered for Cargo projects with a `Cargo.toml` file and requires Cargo version **1.44.0+**. For further information, see [Cargo package manager support](packagemgrs/cargo.md).
* Added property [detect.cargo.path](properties/detectors/cargo.md) to allow user specification of a custom Cargo executable path.  

[zahidblackduck]

Okay @cpottsbd, I'll update accordingly. Thanks for the nice suggestion.

[cpottsbd]

I would remove the "now's" and "new's" from this information and leave that type of info for the release notes. (Since this part of the documentation lives on past the point where this detector is new.)
i.e.
[detect_product_short] includes two Cargo detectors:

[zahidblackduck]

Yes, it seems quite logical.

[cpottsbd]

* **Cargo CLI Detector**

[cpottsbd]

Suggestion:
Detector for Cargo projects, extracts **direct and transitive dependencies** using the cargo treecommand.

[cpottsbd]

Suggestion:

• Cargo version 1.44.0+ is required (as cargo tree was introduced in this version).
  to
• Cargo version 1.44.0+ required to support cargo tree.

[cpottsbd]

See notes. Thanks.

[cpottsbd]

Sorry, one new thought. ; ) perhaps link to the man page for the cargo tree command here.
i.e.
* Detector for Cargo projects, extracts **direct and transitive dependencies** using the [cargo tree command](https://doc.rust-lang.org/cargo/commands/cargo-tree.html).

[zahidblackduck]

Thanks. I've updated with the cargo tree documentation link.