Closed anforowicz closed 1 month ago
The string used for the "recommended audits for" printout is populated in a pretty simple way, by iterating the set of failed criteria for the revision, picking a minimal set of criteria which can be used to satisfy it, and concatenating them together into a string:
It it was changed here, I believe this would only impact that printout and the suggestion list in the JSON output, but wouldn't impact things like what criteria are selected by default when running cargo vet certify
. I've thrown together a PR which implements it as it's fairly straightforward (#614).
For most consumers of cargo vet
who don't use custom criteria, this would only impact suggested audits for safe-to-run
which would now read something like:
recommended audits for safe-to-run (or safe-to-deploy):
That seems fairly reasonable to me unless you have fairly complex implies criteria graphs.
Context
In my experience, engineers performing semi-automated crate updates are sometimes confused which criteria to audit for. For example, an engineer may see the following message from
cargo vet
:The crate has been previously audited as
does-not-implement-crypto
andub-risk-0
and the delta doesn't change those properties. Butcargo vet
's message recommends auditing forcrypto-safe
andub-risk-2
instead (which have a transitiveimplies
relationship:ub-risk-0
impliesub-risk-1
which impliesub-risk-2
; anddoes-not-implement-crypto
impliescrypto-safe
- see here and here).To reduce the confusion, we've tried to cover this in our documentation:
tools/crates/create_update_cl.md
:But, it would be great if
cargo vet
's output could also somehow be tweaked to avoid this kind of confusion (since the doc guidance is easy to miss, but the output ofcargo vet
is looked at each time a crate is updated). Can we discuss if and howcargo vet
's output could be changed?FWIW this confusion (in light of
does-not-implement-crypto
vscrypto-safe
) has also been touched upon in https://github.com/mozilla/cargo-vet/issues/417 but that other issue focuses more on delta audit workflow surfacing the properties of the baseline audit.Concrete proposal
I would like to propose changing this part of the output:
Into:
It seems possible to derive the new text based on the
implies
relationship thatcargo vet
already recognizes between the audit criteria.I haven't yet tried looking at
cargo vet
's source code to see where such change could be made. Obviously we wouldn't want to change all criteria => string conversions - hopefully it won't be too difficult to identify which ones can use the new, expanded wording (?).WDYT?