search

mozilla / cargo-vet

supply-chain security for Rust
Apache License 2.0
654 stars 44 forks source link

`cargo vet aggregate` is not reporting errors correctly #607

Open str4d opened 5 months ago

str4d commented 5 months ago

I'm running cargo vet aggregate --output-file supply-chain/audits.toml supply-chain/sources.txt in CI for https://github.com/zcash/rust-ecosystem. Recently I added a second source to sources.txt and now aggregation fails. Via local testing, I determined that the new URL is not broken, but the presence of two URLs causes a GoAway to be returned by GitHub, I presume due to either some interaction with HTTP2 connection pooling or tripping up a spam detector?

EDIT 2024-05-23: Hmm, actually it looks like the GoAway is being sent to GitHub at the end of the connection in response to something. It's still the main difference I see between one vs two sources.

✅ First source only ``` ❯ cat supply-chain/sources.txt https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml ❯ cargo vet aggregate --verbose debug --output-file supply-chain/audits.toml supply-chain/sources.txt DEBUG starting new connection: https://raw.githubusercontent.com/ DEBUG resolving host="raw.githubusercontent.com" DEBUG connecting to 185.199.111.133:443 DEBUG connected to 185.199.111.133:443 DEBUG No cached session for DnsName("raw.githubusercontent.com") DEBUG Not resuming any session DEBUG Using ciphersuite TLS13_AES_128_GCM_SHA256 DEBUG Not resuming DEBUG TLS1.3 encrypted extensions: [ServerNameAck, Protocols([ProtocolName(6832)])] DEBUG ALPN protocol is Some(b"h2") DEBUG binding client connection DEBUG client connection bound DEBUG send frame=Settings { flags: (0x0), enable_push: 0, initial_window_size: 2097152, max_frame_size: 16384 } DEBUG Connection{peer=Client}: send frame=WindowUpdate { stream_id: StreamId(0), size_increment: 5177345 } DEBUG pooling idle connection for ("https", raw.githubusercontent.com) DEBUG Connection{peer=Client}: send frame=Headers { stream_id: StreamId(1), flags: (0x5: END_HEADERS | END_STREAM) } DEBUG Connection{peer=Client}: received frame=Settings { flags: (0x0), max_concurrent_streams: 100 } DEBUG Connection{peer=Client}: send frame=Settings { flags: (0x1: ACK) } DEBUG Connection{peer=Client}: received frame=WindowUpdate { stream_id: StreamId(0), size_increment: 16711681 } DEBUG Connection{peer=Client}: received frame=Settings { flags: (0x1: ACK) } DEBUG Connection{peer=Client}: received settings ACK; applying Settings { flags: (0x0), enable_push: 0, initial_window_size: 2097152, max_frame_size: 16384 } DEBUG Connection{peer=Client}: received frame=Headers { stream_id: StreamId(1), flags: (0x4: END_HEADERS) } DEBUG Connection{peer=Client}: received frame=Data { stream_id: StreamId(1) } DEBUG Connection{peer=Client}: received frame=Data { stream_id: StreamId(1) } DEBUG Connection{peer=Client}: received frame=Data { stream_id: StreamId(1) } DEBUG Connection{peer=Client}: received frame=Data { stream_id: StreamId(1) } DEBUG Connection{peer=Client}: received frame=Data { stream_id: StreamId(1) } DEBUG Connection{peer=Client}: received frame=Data { stream_id: StreamId(1), flags: (0x1: END_STREAM) } ```
✅ Second source only ``` ❯ cat supply-chain/sources.txt https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml ❯ cargo vet aggregate --verbose debug --output-file supply-chain/audits.toml supply-chain/sources.txt DEBUG starting new connection: https://raw.githubusercontent.com/ DEBUG resolving host="raw.githubusercontent.com" DEBUG connecting to 185.199.111.133:443 DEBUG connected to 185.199.111.133:443 DEBUG No cached session for DnsName("raw.githubusercontent.com") DEBUG Not resuming any session DEBUG Using ciphersuite TLS13_AES_128_GCM_SHA256 DEBUG Not resuming DEBUG TLS1.3 encrypted extensions: [ServerNameAck, Protocols([ProtocolName(6832)])] DEBUG ALPN protocol is Some(b"h2") DEBUG binding client connection DEBUG client connection bound DEBUG send frame=Settings { flags: (0x0), enable_push: 0, initial_window_size: 2097152, max_frame_size: 16384 } DEBUG Connection{peer=Client}: send frame=WindowUpdate { stream_id: StreamId(0), size_increment: 5177345 } DEBUG pooling idle connection for ("https", raw.githubusercontent.com) DEBUG Connection{peer=Client}: send frame=Headers { stream_id: StreamId(1), flags: (0x5: END_HEADERS | END_STREAM) } DEBUG Connection{peer=Client}: received frame=Settings { flags: (0x0), max_concurrent_streams: 100 } DEBUG Connection{peer=Client}: send frame=Settings { flags: (0x1: ACK) } DEBUG Connection{peer=Client}: received frame=WindowUpdate { stream_id: StreamId(0), size_increment: 16711681 } DEBUG Connection{peer=Client}: received frame=Settings { flags: (0x1: ACK) } DEBUG Connection{peer=Client}: received settings ACK; applying Settings { flags: (0x0), enable_push: 0, initial_window_size: 2097152, max_frame_size: 16384 } DEBUG Connection{peer=Client}: received frame=Headers { stream_id: StreamId(1), flags: (0x4: END_HEADERS) } DEBUG Connection{peer=Client}: received frame=Data { stream_id: StreamId(1), flags: (0x1: END_STREAM) } ```
❌ Both sources ``` ❯ cat supply-chain/sources.txt https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml ❯ cargo vet aggregate --verbose debug --output-file supply-chain/audits.toml supply-chain/sources.txt DEBUG starting new connection: https://raw.githubusercontent.com/ DEBUG starting new connection: https://raw.githubusercontent.com/ DEBUG resolving host="raw.githubusercontent.com" DEBUG resolving host="raw.githubusercontent.com" DEBUG connecting to 185.199.111.133:443 DEBUG connecting to 185.199.108.133:443 DEBUG connected to 185.199.111.133:443 DEBUG No cached session for DnsName("raw.githubusercontent.com") DEBUG Not resuming any session DEBUG connected to 185.199.108.133:443 DEBUG No cached session for DnsName("raw.githubusercontent.com") DEBUG Not resuming any session DEBUG Using ciphersuite TLS13_AES_128_GCM_SHA256 DEBUG Not resuming DEBUG TLS1.3 encrypted extensions: [ServerNameAck, Protocols([ProtocolName(6832)])] DEBUG ALPN protocol is Some(b"h2") DEBUG binding client connection DEBUG client connection bound DEBUG send frame=Settings { flags: (0x0), enable_push: 0, initial_window_size: 2097152, max_frame_size: 16384 } DEBUG Connection{peer=Client}: send frame=WindowUpdate { stream_id: StreamId(0), size_increment: 5177345 } DEBUG pooling idle connection for ("https", raw.githubusercontent.com) DEBUG reuse idle connection for ("https", raw.githubusercontent.com) DEBUG Connection{peer=Client}: send frame=Headers { stream_id: StreamId(1), flags: (0x5: END_HEADERS | END_STREAM) } DEBUG Connection{peer=Client}: send frame=Headers { stream_id: StreamId(3), flags: (0x5: END_HEADERS | END_STREAM) } DEBUG Using ciphersuite TLS13_AES_128_GCM_SHA256 DEBUG Not resuming DEBUG TLS1.3 encrypted extensions: [ServerNameAck, Protocols([ProtocolName(6832)])] DEBUG ALPN protocol is Some(b"h2") DEBUG binding client connection DEBUG client connection bound DEBUG send frame=Settings { flags: (0x0), enable_push: 0, initial_window_size: 2097152, max_frame_size: 16384 } DEBUG Connection{peer=Client}: send frame=GoAway { error_code: NO_ERROR, last_stream_id: StreamId(0) } DEBUG Connection{peer=Client}: Connection::poll; connection error error=GoAway(b"", NO_ERROR, Library) DEBUG Connection{peer=Client}: Sending warning alert CloseNotify DEBUG Connection{peer=Client}: received frame=Settings { flags: (0x0), max_concurrent_streams: 100 } DEBUG Connection{peer=Client}: send frame=Settings { flags: (0x1: ACK) } DEBUG Connection{peer=Client}: received frame=WindowUpdate { stream_id: StreamId(0), size_increment: 16711681 } DEBUG Connection{peer=Client}: received frame=Settings { flags: (0x1: ACK) } DEBUG Connection{peer=Client}: received settings ACK; applying Settings { flags: (0x0), enable_push: 0, initial_window_size: 2097152, max_frame_size: 16384 } DEBUG Connection{peer=Client}: received frame=Headers { stream_id: StreamId(3), flags: (0x4: END_HEADERS) } DEBUG Connection{peer=Client}: received frame=Data { stream_id: StreamId(3), flags: (0x1: END_STREAM) } DEBUG Connection{peer=Client}: received frame=Headers { stream_id: StreamId(1), flags: (0x4: END_HEADERS) } DEBUG Connection{peer=Client}: received frame=Data { stream_id: StreamId(1) } DEBUG Connection{peer=Client}: received frame=Data { stream_id: StreamId(1) } DEBUG Connection{peer=Client}: received frame=Data { stream_id: StreamId(1) } DEBUG Connection{peer=Client}: received frame=Data { stream_id: StreamId(1) } DEBUG Connection{peer=Client}: received frame=Data { stream_id: StreamId(1) } DEBUG Connection{peer=Client}: received frame=Data { stream_id: StreamId(1), flags: (0x1: END_STREAM) } DEBUG Connection{peer=Client}: send frame=GoAway { error_code: NO_ERROR, last_stream_id: StreamId(0) } DEBUG Connection{peer=Client}: Connection::poll; connection error error=GoAway(b"", NO_ERROR, Library) ERROR × there were errors aggregating source audit files DEBUG Connection{peer=Client}: Sending warning alert CloseNotify ```
str4d commented 5 months ago

Maybe also related to #593 (there is not enough error log information in the cargo-vet output for either issue's content to be sufficient for me to determine that).

str4d commented 4 months ago

I've now had time to debug this further, and it turns out that the problem is that miette is for whatever reason not rendering the related errors inside AggregateErrors. When I add dbg! around them, this is what I get as overall output:

    Fetching source audits [=========================================================] 2/2                                                                        [src/main.rs:2552:8] &errors = [
    CriteriaDescriptionMismatch(
        AggregateCriteriaDescriptionMismatchError {
            criteria_name: "license-reviewed",
            first: AggregateCriteriaDescription {
                source: "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml",
                description: Some(
                    "The license of this crate has been reviewed for compatibility with its usage in this repository.",
                ),
                description_url: None,
            },
            second: AggregateCriteriaDescription {
                source: "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml",
                description: Some(
                    "The license of this crate has been reviewed for compatibility with its usage in this repository. If the crate is not available under the MIT license, `contrib/debian/copyright` has been updated with a corresponding copyright notice for files under `depends/*/vendored-sources/CRATE_NAME`.",
                ),
                description_url: None,
            },
        },
    ),
]
ERROR   × there were errors aggregating source audit files

So I now know what the aggregation problem is (a mismatch between criteria descriptions, something I didn't realise had to exactly match), but also cargo vet is hiding these errors.