Add support for --ignore

[djmitche]

Do the checklist before filing an issue:

• [x] Is this related to the actions-rs Actions?
• [x] You've read the Contributing section about feature requests: https://github.com/actions-rs/.github/blob/master/CONTRIBUTING.md#feature-requests
• [x] Is this something you can debug and fix? Send a pull request! Bug fixes and documentation fixes are welcome.

Motivation

Sometimes addressing an advisory is not important for a repository. Maybe it's only used in test or deprecated code, or is a difficult fix and analysis of the vulnerability shows the repo isn't actually vulnerable. In those cases, cargo audit provides --ignore, but it seems this option is not available in the GitHub action.

Workflow example

jobs:
  audit:
    runs-on: ubuntu-latest
    permissions: write-all
    name: "Audit Dependencies"
    steps:
      - uses: actions/checkout@v2
      - uses: actions-rs/audit-check@v1                                                                                                                                                                                                                                                                                        
        with:
          ignore:
            - RUSTSEC-2021-0124
          token: ${{ secrets.GITHUB_TOKEN }}

[moliva]

I think this PR should be of help for you #221 .

[matschaffer]

This would be helpful given the state of https://rustsec.org/advisories/RUSTSEC-2020-0071 and https://github.com/chronotope/chrono/issues/602

The CVE is low risk for chrono and the problematic dependency should be removed in the next version.

[matschaffer]

From @djmitche in https://github.com/actions-rs/audit-check/pull/221#issuecomment-1207264699

So it turns out that .cargo/audit.toml can be used to ignore things, too -- I just had it in the wrong directory (fix in GothenburgBitFactory/taskwarrior#2903). So the fork probably isn't necessary!

So we could probably close this issue. Though explicit documentation might be more helpful than this github issue for future users.

[djmitche]

Yeah, this seems to be the closest there is to documentation of audit.toml. Maybe a PR to that repo would be useful?

At any rate, this support is now added so this issue can be closed.

[matschaffer]

Nice! I opened https://github.com/rustsec/rustsec/issues/650 to capture documentation that I think might help.

[matschaffer]

heh, though based on https://github.com/GothenburgBitFactory/taskwarrior/pull/2903#issuecomment-1210147348 @pinkforest might be in favor of re-opening this issue. :)