search

EmbarkStudios / cargo-deny

❌ Cargo plugin for linting your dependencies 🦀
http://embark.rs
Apache License 2.0
1.71k stars 83 forks source link

Bug: build bans "bypass" field doesn't work as documented. #571

Closed iddm closed 12 months ago

iddm commented 12 months ago

Describe the bug

It is documented that the "bypass" list if omitted, means that all the executables are allowed. Now, this is not the case. One has to manually add all the allowed executables to the list to allow the ban check to pass, which contradicts the documentation.

To reproduce

  1. Depend on "libloading" or "windows" or "winapi".
  2. Check that it still checks for the executables in the list of "bypass" crates. An example of the deny.toml below:
[bans.build]
executables = "deny"

include-dependencies = true
include-archives = true

[[bans.build.bypass]]
name = "libloading"

Error message (shouldn't be an error as those should be bypassed):

❯ ../cargo-deny/target/debug/cargo-deny check bans
error[detected-executable]: detected executable
 = path = '$CARGO_HOME/registry/src/index.crates.io-6f17d22bba15001f/libloading-0.7.4/tests/nagisa32.dll'
 = executable-kind = 'pe'
 = libloading v0.7.4
   └── clang-sys v1.6.1
       └── bindgen v0.65.1
           └── (build) v8_rs v0.1.0

error[detected-executable]: detected executable
 = path = '$CARGO_HOME/registry/src/index.crates.io-6f17d22bba15001f/libloading-0.7.4/tests/nagisa64.dll'
 = executable-kind = 'pe'
 = libloading v0.7.4 (*)

bans FAILED

cargo-deny version

latest git

What OS were you running cargo-deny on?

Linux

Additional context

No response

Jake-Shadle commented 12 months ago

You must specify build-script or allow/-globs otherwise the crate could change radically and still be bypassed which is not the intention of the check.

iddm commented 12 months ago

You must specify build-script or allow/-globs otherwise the crate could change radically and still be bypassed which is not the intention of the check.

Thank you for your help!