Bug: unused workspace dependency check breaks when replacing crates-io with a mirror

[gillyobeast]

Describe the bug

the new workspace-dependency.unused setting reports false positives when you proxy crates.io via another cargo repository.

i found this running against an internal artifactory mirror of crates.io, which for obvious reasons i can't use for a reproduction, but using a random (out of date) mirror i found on the web also reproduces it.

minimal repro repo available here

To reproduce

1. check out minimal repro repo above, OR add the following to .cargo/config.toml in the root of a cargo project:

[source.mirror]
registry = "https://github.com/hotg-ai/crates.io-index"

[source.crates-io]
# comment out below line (stop proxying crates.io via mirror) to fix issue
replace-with = "mirror"

2. run cargo deny check bans
3. should get the following output:

❯ cargo deny check bans
error[unused-workspace-dependency]: workspace dependency is declared, but unused
   ┌─ /Users/lake.armitage/personal/workspace-lint-false-positive-repro/Cargo.toml:12:1
   │
12 │ wiremock = "0.5"
   │ ━━━━━━━━ unused workspace dependency

bans FAILED

despite the wiremock workspace dependency being used in bin/foo-lib/Cargo.toml

commenting out the replace-with line in the config.toml resolves the issue.

cargo-deny version

cargo-deny 0.16.1

What OS were you running cargo-deny on?

MacOS

Additional context

No response

[gillyobeast]

i think it's something to do with how the code compares the url for the crate against the expected url for crates.io, here:

cargo-deny/src/diag/krate_spans.rs

Lines 807 to 817 in 5da8b85

	crate::Source::CratesIo(is_sparse) => {
	let crates_io = if *is_sparse {
	tame_index::index::sparse::CRATES_IO_HTTP_INDEX
	} else {
	tame_index::index::git::CRATES_IO_INDEX
	};
	if urls.as_str() != crates_io {
	return None;
	}
	}

[jmt-lab]

Hi there, we just ran into this on bottlerocket side with using cargo vendor. It seems when using a cargo vendor cargo deny fails to see the workspace dependency uses as well.