Bug: Check for advisories doesn't seem to work on 0.14.19

mihaelTBTL commented 3 months ago

Describe the bug

After having installed the latest version of cargo-deny (0.14.19) and running cargo deny check advisories in a Rust workspace, I'm met with the following error:

[ERROR] failed to fetch advisory database https://github.com/rustsec/advisory-db: An IO error occurred when talking to the server: error sending request for url (https://github.com/rustsec/advisory-db/info/refs?service=git-upload-pack): client error (Connect)

I'm not sure what the problem is since I can download the file with curl:

curl https://github.com/rustsec/advisory-db/info/refs?service=git-upload-pack --output foo

The used db-urls in deny.toml is the same as in the book. I get the same issue when using the deny.toml from this repository as well: https://github.com/EmbarkStudios/cargo-deny/blob/main/deny.toml

I've encountered this problem while using both Ubuntu 22.04 (as OS) and inside a rust:1.76-slim docker container.

To reproduce

Install the latest version of cargo-deny: cargo install --version 0.14.19 cargo-deny
Position yourself inside a Rust project with a deny.toml. You can grab an example from here: https://github.com/EmbarkStudios/cargo-deny/blob/main/deny.toml
Run: cargo deny check advisories

cargo-deny version

cargo-deny 0.14.19

What OS were you running cargo-deny on?

Linux

Additional context

No response

Jake-Shadle commented 3 months ago

Can you confirm that older versions still work? I'm unable to repro this so feels like a client side issue (behind proxy or something?).

hmacias-avaya commented 3 months ago

0.14.14 working ok for me. A colleague running 0.14.19 is seeing this same issue

hmacias-avaya commented 3 months ago

..after upgrading it fails for me as well. I'm not behind any vpn or proxy:

2024-03-22 15:15:13 [INFO] gathered 346 crates in 449ms
2024-03-22 15:15:13 [ERROR] failed to fetch advisory database https://github.com/rustsec/advisory-db: failed to prepare fetch: An IO error occurred when talking to the server: error sending request for url (https://github.com/rustsec/advisory-db/info/refs?service=git-upload-pack)

hmacias-avaya commented 3 months ago

using 0.14.19 shows that issue. Compiling from current head 621ff39 seems to work just fine 🤷

Jake-Shadle commented 3 months ago

That does not make sense, there was no change between them that would affect this.

ilpanich commented 3 months ago

It is a little bit weird guys: on my laptop running archlinux it works perfectly; instead when I try to build with the official rust docker image 1.7.0-slim-bookworm I got the issue. Version 0.14.18 works on 1.7.0-slim-bookworm.

hmacias-avaya commented 3 months ago

I know it still sounds weird(er), but if I install version 0.14.19:

cargo install cargo-deny --version 0.14.19 --force

and do a cargo deny check, I see the same error every single time.

If I build from source on commit c16388b (tag: 0.14.19) then it works fine for me both building in release and non-release modes.

amousset commented 3 months ago

I could reproduce the issue (both with cargo deny and cargo audit), I 'm investigating.

Jake-Shadle commented 3 months ago

I can repro this, I believe I know what is happening.

Jake-Shadle commented 3 months ago

The issue is that gix-transport 0.41.3, or one of the updated dependencies it uses, has a bug. Again, the recommended way to install cargo-deny, as stated in the README, is to use --locked when running cargo install, as otherwise bugs or semver breakages which are not tested in CI can occur.

mihaelTBTL commented 3 months ago

Thank you, @Jake-Shadle for the quick response and fix, I've followed through and it was quite the rabbit hole. I can confirm cargo-deny 0.14.20 works, though I think I will move to installing cargo-deny with --lock into the image.

yurnery commented 2 months ago

clear the allow scope in deny.toml
run cargo deny check, it will fail.
fill licenses in the allow scope again.
it works.

It works for me

EmbarkStudios / cargo-deny