refactor: modularize codebase and add 404 unit tests (#13)

compliance-agent/src/pipeline/sbom/cargo_audit.rs

@@ -0,0 +1,72 @@
+use std::path::Path;
+
+use compliance_core::CoreError;
+
+pub(super) struct AuditVuln {
+    pub package: String,
+    pub id: String,
+    pub url: String,
+}
+
+#[tracing::instrument(skip_all)]
+pub(super) async fn run_cargo_audit(
+    repo_path: &Path,
+    _repo_id: &str,
+) -> Result<Vec<AuditVuln>, CoreError> {
+    let cargo_lock = repo_path.join("Cargo.lock");
+    if !cargo_lock.exists() {
+        return Ok(Vec::new());
+    }
+
+    let output = tokio::process::Command::new("cargo")
+        .args(["audit", "--json"])
+        .current_dir(repo_path)
+        .env("RUSTC_WRAPPER", "")
+        .output()
+        .await
+        .map_err(|e| CoreError::Scanner {
+            scanner: "cargo-audit".to_string(),
+            source: Box::new(e),
+        })?;
+
+    let result: CargoAuditOutput =
+        serde_json::from_slice(&output.stdout).unwrap_or_else(|_| CargoAuditOutput {
+            vulnerabilities: CargoAuditVulns { list: Vec::new() },
+        });
+
+    let vulns = result
+        .vulnerabilities
+        .list
+        .into_iter()
+        .map(|v| AuditVuln {
+            package: v.advisory.package,
+            id: v.advisory.id,
+            url: v.advisory.url,
+        })
+        .collect();
+
+    Ok(vulns)
+}
+
+// Cargo audit types
+#[derive(serde::Deserialize)]
+struct CargoAuditOutput {
+    vulnerabilities: CargoAuditVulns,
+}
+
+#[derive(serde::Deserialize)]
+struct CargoAuditVulns {
+    list: Vec<CargoAuditEntry>,
+}
+
+#[derive(serde::Deserialize)]
+struct CargoAuditEntry {
+    advisory: CargoAuditAdvisory,
+}
+
+#[derive(serde::Deserialize)]
+struct CargoAuditAdvisory {
+    id: String,
+    package: String,
+    url: String,
+}