From 4b34a8c4830abe0727c2029f6f835db8840c5c9c Mon Sep 17 00:00:00 2001
From: Jake Shadle <jake.shadle@embark-studios.com>
Date: Fri, 26 Jul 2024 16:43:19 +0200
Subject: [PATCH] Fix bug with path matching on git dependencies (#681)

Resolves: #680
---
 CHANGELOG.md                                              | 3 +++
 src/diag/krate_spans.rs                                   | 5 ++++-
 tests/snapshots/bans__deny_duplicate_workspace_items.snap | 2 +-
 tests/test_data/workspace/Cargo.toml                      | 2 +-
 4 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 068e8c76..8821184a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 <!-- next-header -->
 ## [Unreleased] - ReleaseDate
 ## [0.15.0] - 2024-07-25
+### Fixed
+- [PR#681](https://github.com/EmbarkStudios/cargo-deny/pull/681) fixed [#680](https://github.com/EmbarkStudios/cargo-deny/issues/680) by always stripping `.git` from urls when matching sources to resolved nodes as they are allowed, but (generally) have no semantic meaning are stripped by cargo when emitting metadata.
+
 ### Added
 - [PR#673](https://github.com/EmbarkStudios/cargo-deny/pull/673) added linting of `[workspace.dependencies]`, resolving [#436](https://github.com/EmbarkStudios/cargo-deny/issues/436) and [#525](https://github.com/EmbarkStudios/cargo-deny/issues/525).
   - Added lint [`workspace-duplicates`](https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html#the-workspace-duplicates-field-optional), which allows checking for missing usage of `workspace = true` for direct workspace dependencies that are used more than once in the workspace.
diff --git a/src/diag/krate_spans.rs b/src/diag/krate_spans.rs
index 0fe718be..8560a872 100644
--- a/src/diag/krate_spans.rs
+++ b/src/diag/krate_spans.rs
@@ -741,7 +741,10 @@ fn read_workspace_deps<'k>(
                     }),
                     Source::Git { repo, spec: dspec },
                 ) => {
-                    if url.host_str() != repo.host_str() || url.path() != repo.path() {
+                    if url.host_str() != repo.host_str()
+                        || url.path().trim_end_matches(".git")
+                            != repo.path().trim_end_matches(".git")
+                    {
                         return None;
                     }
 
diff --git a/tests/snapshots/bans__deny_duplicate_workspace_items.snap b/tests/snapshots/bans__deny_duplicate_workspace_items.snap
index 84bd3fa4..6868d106 100644
--- a/tests/snapshots/bans__deny_duplicate_workspace_items.snap
+++ b/tests/snapshots/bans__deny_duplicate_workspace_items.snap
@@ -353,7 +353,7 @@ expression: diags
           "span": "spdx-git"
         },
         {
-          "column": 87,
+          "column": 91,
           "line": 19,
           "message": "note the workspace dependency is renamed",
           "span": "spdx"
diff --git a/tests/test_data/workspace/Cargo.toml b/tests/test_data/workspace/Cargo.toml
index b174500b..dbb76bbf 100644
--- a/tests/test_data/workspace/Cargo.toml
+++ b/tests/test_data/workspace/Cargo.toml
@@ -16,7 +16,7 @@ spdx = "0.10"
 # Validates that we recognize the workspace dependency exists even though it is renamed
 spdx-old = { version = "0.9", package = "spdx" }
 spdx-very-old = { version = "0.8", package = "spdx" }
-spdx-git = { git = "https://github.com/EmbarkStudios/spdx", tag = "0.7.0", package = "spdx" }
+spdx-git = { git = "https://github.com/EmbarkStudios/spdx.git", tag = "0.7.0", package = "spdx" }
 member-one = { path = "crates/member-one" }
 member-two = { path = "crates/member-two" }
 # Validates we can find workspace dependency sources from non-crates.io registries