-
-
Notifications
You must be signed in to change notification settings - Fork 39
Provide a way to pass options to cargo-audit #132
Comments
I think it'd be great to have the arguments parameterized as in the second example, e.g. |
FYI, we just landed a PR to That should hopefully also address this issue. Edit: this is now available in |
Unfortunately we can't pass an `--ignore` option to cargo-audit via `actions-rs/audit-check` to ignore the request smuggling vulnerability in `tiny_http` due to this issue: actions-rs/audit-check#132 This PR switches to invoking `cargo audit` directly so we can.
Unfortunately we can't pass an `--ignore` option to cargo-audit via `actions-rs/audit-check` to ignore the request smuggling vulnerability in `tiny_http` due to this issue: actions-rs/audit-check#132 This PR switches to invoking `cargo audit` directly so we can.
Unfortunately we can't pass an `--ignore` option to cargo-audit via `actions-rs/audit-check` to ignore the request smuggling vulnerability in `tiny_http` due to this issue: actions-rs/audit-check#132 This PR switches to invoking `cargo audit` directly so we can.
…#92) Unfortunately we can't pass an `--ignore` option to cargo-audit via `actions-rs/audit-check` to ignore the request smuggling vulnerability in `tiny_http` due to this issue: actions-rs/audit-check#132 This PR switches to invoking `cargo audit` directly so we can.
I created an
Which worked locally in promoting the warnings to errors, however I saw no difference in the |
You placed it in |
@tarcieri yes I did, and like I said it does have an effect locally. I'm in a private repo ATM, but if this is a surprise that it's not working, I can make a MVCE repo? |
Is it possible CI is caching an older version of cargo-audit? |
I suppose that's possible. I'm afraid I don't understand if/when it would update but do you know how to check the version used? Here is my MCVE repo: alan-signal/cargo-audit-action#1 |
@tarcieri Looking at this I can see this action runs Locally, removing my So, it would seem that the issue is that the json output does not reflect the output options and it is reported as a warning regardless: "warnings": {
"unmaintained": [
{
"kind": "unmaintained",
"package": {
"name": "cpuid-bool",
"version": "0.2.0",
"source": "registry+https://github.com/rust-lang/crates.io-index",
"checksum": "dcb25d077389e53838a8158c8e99174c5a9d902dee4904320db714f3c653ffba",
"replace": null
},
"advisory": {
"id": "RUSTSEC-2021-0064",
"package": "cpuid-bool",
"title": "`cpuid-bool` has been renamed to `cpufeatures`",
"description": "Please use the `cpufeatures`` crate going forward:\n\n<https://github.com/RustCrypto/utils/tree/master/cpufeatures>\n\nThere will be no further releases of `cpuid-bool`.",
"date": "2021-05-06",
"aliases": [],
"related": [],
"collection": "crates",
"categories": [],
"keywords": [],
"cvss": null,
"informational": "unmaintained",
"url": "https://github.com/RustCrypto/utils/pull/381",
"references": [],
"yanked": false
},
"versions": {
"patched": [],
"unaffected": []
}
}
]
} |
Huh, could be a bug. Can you open an issue on https://github.com/rustsec/rustsec? |
I will, thankyou! |
@tarcieri rustsec/rustsec#376 thanks again! |
Motivation
cargo-audit has some useful options, and it would be nice to be able to use them via audit-check. For example:
--deny-warnings
: Fail if a warning exists -- warnings may be missed by reviewers until the PR has been merged and the issue submitted.--ignore
: Ignore specified advisory -- if fix requires breaking change, the fix may be postponed as it cannot be fixed immediately (especially if that advisory is warning).Workflow example
or
The text was updated successfully, but these errors were encountered: