Skip to content
This repository has been archived by the owner on Oct 13, 2023. It is now read-only.

Provide a way to pass options to cargo-audit #132

Open
taiki-e opened this issue Jul 5, 2020 · 11 comments · May be fixed by #133
Open

Provide a way to pass options to cargo-audit #132

taiki-e opened this issue Jul 5, 2020 · 11 comments · May be fixed by #133
Labels
enhancement New feature or request

Comments

@taiki-e
Copy link

taiki-e commented Jul 5, 2020

Motivation

cargo-audit has some useful options, and it would be nice to be able to use them via audit-check. For example:

  • --deny-warnings: Fail if a warning exists -- warnings may be missed by reviewers until the PR has been merged and the issue submitted.
  • --ignore: Ignore specified advisory -- if fix requires breaking change, the fix may be postponed as it cannot be fixed immediately (especially if that advisory is warning).

Workflow example

      - uses: actions-rs/audit-check@v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          options: --deny-warnings --ignore RUSTSEC-2020-0016

or

      - uses: actions-rs/audit-check@v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          deny-warnings: true
          ignore: [RUSTSEC-2020-0016]
@taiki-e taiki-e added the enhancement New feature or request label Jul 5, 2020
@tarcieri
Copy link

tarcieri commented Sep 8, 2020

I think it'd be great to have the arguments parameterized as in the second example, e.g. ignore: ["RUSTSEC-2020-0016"]

@tarcieri
Copy link

tarcieri commented Sep 23, 2020

FYI, we just landed a PR to cargo-audit to autodetect a project-local .cargo/audit.toml file, which can be used to pass most configuration options and also means running it locally will match CI:

rustsec/rustsec#252

That should hopefully also address this issue.

Edit: this is now available in cargo-audit v0.13

tarcieri pushed a commit to iqlusioninc/yubihsm.rs that referenced this issue Sep 23, 2020
Unfortunately we can't pass an `--ignore` option to cargo-audit via
`actions-rs/audit-check` to ignore the request smuggling vulnerability
in `tiny_http` due to this issue:

actions-rs/audit-check#132

This PR switches to invoking `cargo audit` directly so we can.
tarcieri pushed a commit to iqlusioninc/yubihsm.rs that referenced this issue Sep 23, 2020
Unfortunately we can't pass an `--ignore` option to cargo-audit via
`actions-rs/audit-check` to ignore the request smuggling vulnerability
in `tiny_http` due to this issue:

actions-rs/audit-check#132

This PR switches to invoking `cargo audit` directly so we can.
tarcieri pushed a commit to iqlusioninc/yubihsm.rs that referenced this issue Sep 23, 2020
Unfortunately we can't pass an `--ignore` option to cargo-audit via
`actions-rs/audit-check` to ignore the request smuggling vulnerability
in `tiny_http` due to this issue:

actions-rs/audit-check#132

This PR switches to invoking `cargo audit` directly so we can.
tony-iqlusion added a commit to iqlusioninc/yubihsm.rs that referenced this issue Sep 23, 2020
…#92)

Unfortunately we can't pass an `--ignore` option to cargo-audit via
`actions-rs/audit-check` to ignore the request smuggling vulnerability
in `tiny_http` due to this issue:

actions-rs/audit-check#132

This PR switches to invoking `cargo audit` directly so we can.
@alan-signal
Copy link

I created an audit.toml:

[output]
deny = ["unmaintained", "unsound", "yanked"]
quiet = false

Which worked locally in promoting the warnings to errors, however I saw no difference in the audit-check task, it still passed with warnings. Is there a trick I'm missing?

@tarcieri
Copy link

You placed it in .cargo/audit.toml?

@alan-signal
Copy link

@tarcieri yes I did, and like I said it does have an effect locally.

I'm in a private repo ATM, but if this is a surprise that it's not working, I can make a MVCE repo?

@tarcieri
Copy link

Is it possible CI is caching an older version of cargo-audit?

@alan-signal
Copy link

alan-signal commented May 26, 2021

I suppose that's possible. I'm afraid I don't understand if/when it would update but do you know how to check the version used?

Here is my MCVE repo: alan-signal/cargo-audit-action#1

@alan-signal
Copy link

alan-signal commented May 26, 2021

@tarcieri Looking at this I can see this action runs $ cargo audit --json.

Locally, removing my .cargo/audit.toml file, it merely has this effect on the output json:

image

So, it would seem that the issue is that the json output does not reflect the output options and it is reported as a warning regardless:

"warnings": {
    "unmaintained": [
      {
        "kind": "unmaintained",
        "package": {
          "name": "cpuid-bool",
          "version": "0.2.0",
          "source": "registry+https://github.com/rust-lang/crates.io-index",
          "checksum": "dcb25d077389e53838a8158c8e99174c5a9d902dee4904320db714f3c653ffba",
          "replace": null
        },
        "advisory": {
          "id": "RUSTSEC-2021-0064",
          "package": "cpuid-bool",
          "title": "`cpuid-bool` has been renamed to `cpufeatures`",
          "description": "Please use the `cpufeatures`` crate going forward:\n\n<https://github.com/RustCrypto/utils/tree/master/cpufeatures>\n\nThere will be no further releases of `cpuid-bool`.",
          "date": "2021-05-06",
          "aliases": [],
          "related": [],
          "collection": "crates",
          "categories": [],
          "keywords": [],
          "cvss": null,
          "informational": "unmaintained",
          "url": "https://github.com/RustCrypto/utils/pull/381",
          "references": [],
          "yanked": false
        },
        "versions": {
          "patched": [],
          "unaffected": []
        }
      }
    ]
  }

@tarcieri
Copy link

Huh, could be a bug. Can you open an issue on https://github.com/rustsec/rustsec?

@alan-signal
Copy link

I will, thankyou!

@alan-signal
Copy link

@tarcieri rustsec/rustsec#376 thanks again!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement New feature or request
Development

Successfully merging a pull request may close this issue.

3 participants