rust: path dependencies: in-repo crates incorrectly being detected and fallbacks to upstream crates.io packages even though paths specified, leading Grype detects FP vulnerabilities for Rust

[Dentrax]

What happened:

Syft is incorrectly detecting an in-repo telemetry crate as the crates.io telemetry crate, though they are completely distinct codebases.

zed project uses lots of path dependencies and Syft doesn't respect to Rust's path dependencies context.

/usr/libexec/zed
📦 telemetry 0.1.0 (rust-crate)
    Critical CVE-2021-29937 GHSA-hpcx-3pw8-g3j2 fixed in 0.1.3

There is a confusion between local crate vs crates.io's crate, those are different packages and zed uses its own telemetry package as it has overridden in the Cargo.toml.

Eventually, Grype detects it as a vulnerable dependency, which is not correct.

What you expected to happen:

Syft should respect Rust's Path Dependencies that defined in the Cargo.toml. And also check the sources:

• "source": "local"
• "source": "crates.io"

Steps to reproduce the issue:

1. git clone git@github.com:zed-industries/zed.git --depth 1
2. cd zed
3. syft . | grep telemetry
4. See all of the packaged are categorized as rust-crate (wrong)
5. grype . | grep telemetry
6. telemetry 0.1.0 0.1.3 rust-crate GHSA-hpcx-3pw8-g3j2 Critical
7. This CVE doesn't exist at all

Anything else we need to know?:

I'm not familiar with Cargo.toml context but I think this override would be a proof of it doesn't use crates.io for telemetry package.

Please check the issue title if it clearly represents what the actual issue is; and feel free to edit!

Environment:

• Output of syft version: 1.18.1 (latest as of now)
• OS (e.g: cat /etc/os-release or similar): macOS 15.2