search

eclipse-iceoryx / iceoryx2

Eclipse iceoryx2™ - true zero-copy inter-process-communication in pure Rust
https://iceoryx.io
Apache License 2.0
586 stars 26 forks source link

Add `cargo audit` CI target #400

Open elfenpiff opened 1 day ago

elfenpiff commented 1 day ago

Brief feature description

Can be installed with cargo install cargo-audit and run with cargo audit.

It lists all known security advisories/warnings from all dependencies. The goal would be that iceorx2 does not depend on any package that has known security issues.

A CI target shall verify it. The problem is that a security issue of an unmaintained package may cause a lot of effort on our side to fix it. So it should be an optional target that does not block the CI but informs us so that we can take action.

orecham commented 1 day ago

If we want to add this, it should be a nightly job.

Having a completely unrelated MR blocked because of a newly failing audit of an unrelate dependency would be frustrating.

elBoberido commented 1 day ago

In theory github will warn us. But I'm not sure if it needs to be enabled somewhere. At least I once got a warning for iceray.