search

actions-rs / audit-check

🛡️ GitHub Action for security audits
https://github.com/marketplace/actions/rust-audit-check
MIT License
169 stars 39 forks source link

Bad semver parsing? #171

Open shekohex opened 3 years ago

shekohex commented 3 years ago

Do the checklist before filing an issue:

Description

audit-check or cargo-audit does not parse the semver of x.x.x-beta.x versions correctly?

Workflow code

name: Security Audit

on:
  schedule:
    - cron: '0 0 * * *'
  push:
    paths:
      - '**/Cargo.toml'
      - '**/Cargo.lock'
  pull_request:

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2

      - uses: actions-rs/audit-check@v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

Action output

I got this issue opened by github-actions user:

Multiple memory safety issues

Details
Package actix-web
Version 4.0.0-beta.1
URL https://github.com/actix/actix-web/issues/289
Date 2018-06-08
Patched versions >=0.7.15

Affected versions contain multiple memory safety issues, such as:

This may result in a variety of memory corruption scenarios, most likely use-after-free.

A signficant refactoring effort has been conducted to resolve these issues.

See advisory page for additional details.

Expected behavior

Notice the version of actix-web I use? it is 4.0.0-beta.1 and this bug is patched and fixed like 3 years ago! version 0.7.15.

it should not report a bug

Additional context

I'm not sure, but the problem is the code is private .. So I could only share a subset of it. Also, feel free to guide me to open the same issue at another repo if it is not related to audit-check action.

mhutter commented 3 years ago

This is a bug in cargo-audit, tracked in https://github.com/RustSec/rustsec/issues/300. It was fixed in v0.15 of cargo-audit.

Rydgel commented 3 years ago

Is there a way to use the latest version of cargo-audit in this action?