Open taiki-e opened 4 years ago
I think it'd be great to have the arguments parameterized as in the second example, e.g. ignore: ["RUSTSEC-2020-0016"]
FYI, we just landed a PR to cargo-audit
to autodetect a project-local .cargo/audit.toml
file, which can be used to pass most configuration options and also means running it locally will match CI:
https://github.com/RustSec/cargo-audit/pull/252
That should hopefully also address this issue.
Edit: this is now available in cargo-audit
v0.13
I created an audit.toml
:
[output]
deny = ["unmaintained", "unsound", "yanked"]
quiet = false
Which worked locally in promoting the warnings to errors, however I saw no difference in the audit-check
task, it still passed with warnings. Is there a trick I'm missing?
You placed it in .cargo/audit.toml
?
@tarcieri yes I did, and like I said it does have an effect locally.
I'm in a private repo ATM, but if this is a surprise that it's not working, I can make a MVCE repo?
Is it possible CI is caching an older version of cargo-audit?
I suppose that's possible. I'm afraid I don't understand if/when it would update but do you know how to check the version used?
Here is my MCVE repo: https://github.com/alan-signal/cargo-audit-action/pull/1
@tarcieri Looking at this I can see this action runs $ cargo audit --json
.
Locally, removing my .cargo/audit.toml
file, it merely has this effect on the output json:
So, it would seem that the issue is that the json output does not reflect the output options and it is reported as a warning regardless:
"warnings": {
"unmaintained": [
{
"kind": "unmaintained",
"package": {
"name": "cpuid-bool",
"version": "0.2.0",
"source": "registry+https://github.com/rust-lang/crates.io-index",
"checksum": "dcb25d077389e53838a8158c8e99174c5a9d902dee4904320db714f3c653ffba",
"replace": null
},
"advisory": {
"id": "RUSTSEC-2021-0064",
"package": "cpuid-bool",
"title": "`cpuid-bool` has been renamed to `cpufeatures`",
"description": "Please use the `cpufeatures`` crate going forward:\n\n<https://github.com/RustCrypto/utils/tree/master/cpufeatures>\n\nThere will be no further releases of `cpuid-bool`.",
"date": "2021-05-06",
"aliases": [],
"related": [],
"collection": "crates",
"categories": [],
"keywords": [],
"cvss": null,
"informational": "unmaintained",
"url": "https://github.com/RustCrypto/utils/pull/381",
"references": [],
"yanked": false
},
"versions": {
"patched": [],
"unaffected": []
}
}
]
}
Huh, could be a bug. Can you open an issue on https://github.com/rustsec/rustsec?
I will, thankyou!
@tarcieri https://github.com/RustSec/rustsec/issues/376 thanks again!
Motivation
cargo-audit has some useful options, and it would be nice to be able to use them via audit-check. For example:
--deny-warnings
: Fail if a warning exists -- warnings may be missed by reviewers until the PR has been merged and the issue submitted.--ignore
: Ignore specified advisory -- if fix requires breaking change, the fix may be postponed as it cannot be fixed immediately (especially if that advisory is warning).Workflow example
or