rustsec / rustsec

RustSec API & Tooling
https://rustsec.org/
Other
1.59k stars 136 forks source link

cargo audit crashes with "invalid Cargo.lock dependency tree: ..." #1241

Open asomers opened 3 months ago

asomers commented 3 months ago

cargo-audit 0.20.0 crashes when run on the master branch of the Nix repository. The problem seems to be that the master branch uses a git dependency, and specifies a git branch rather than a revision. But this problem is only reproducible when cargo-audit is built in a way that honors the Cargo.lock file. Doing a cargo install ignores Cargo.lock, and the resulting binary works. Both 0.20.0 and the main branch are affected. Both rust nightly and rust 1.77.0 are affected, though the 0.20.0 branch doesn't compile with rust nightly.

Steps to reproduce:

$ git clone git@github.com:nix-rust/nix.git
$ git clone git@github.com:rustsec/rustsec.git
$ cd rustsec/cargo-audit
$ git checkout cargo-audit/v0.20.0  # optional
$ cargo +1.77.0 run -- audit -f ../../nix/Cargo.lock 
    Finished dev [unoptimized + debuginfo] target(s) in 0.43s
     Running `/usr/home/somers/src/rust/rustsec/target/debug/cargo-audit audit -f ../../nix/Cargo.lock`
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 647 security advisories (from /home/somers/.cargo/advisory-db)
    Updating crates.io index
    Scanning ../../nix/Cargo.lock for vulnerabilities (55 crate dependencies)
The application panicked (crashed).
Message:  invalid Cargo.lock dependency tree: Resolution("failed to find dependency: libc 0.2.156 (git+https://github.com/rust-lang/libc?branch=libc-0.2)")
Location: cargo-audit/src/presenter.rs:114

Backtrace omitted. Run with RUST_BACKTRACE=1 environment variable to display it.
Run with RUST_BACKTRACE=full to include source snippets.
tarcieri commented 2 months ago

Can you try v0.20.1?

Edit: oops, didn't mean to close

asomers commented 2 months ago

Negative @tarcieri . It still crashes for me.

tarcieri commented 2 months ago

Can you expound on this:

But this problem is only reproducible when cargo-audit is built in a way that honors the Cargo.lock file. Doing a cargo install ignores Cargo.lock, and the resulting binary works

asomers commented 2 months ago

Can you expound on this:

But this problem is only reproducible when cargo-audit is built in a way that honors the Cargo.lock file. Doing a cargo install ignores Cargo.lock, and the resulting binary works

It's my understanding that "cargo install" ignores the Cargo.lock file. But even if my understanding is incorrect, what's indisputable is that doing cargo install cargo-audit; cargo audit works, while doing cargo run from the rustsec/cargo-audit directory crashes.

tarcieri commented 2 months ago

So cargo install worked for v0.20.0, works for v0.20.1, but this bug arises with cargo install --locked for either v0.20.0 or v0.20.1?

Must be a bug in a dependency which didn't get upgraded in Cargo.lock between versions, then.

asomers commented 2 months ago

Actually, it _doeswork with cargo install --locked, oddly enough. But it fails with cargo run, and it fails for the package built by the FreeBSD ports system.