search

rustsec / rustsec

RustSec API & Tooling
https://rustsec.org/
Other
1.59k stars 136 forks source link

Offline mode #234

Open janderholm opened 4 years ago

janderholm commented 4 years ago

Thanks for a great project!

It looks like cargo audit doesn't honor the offline flag and always try to fetch crates.io. On the other hand it continues running successfully after failing so I think it's an unnecessary operation?

$ CARGO_NET_OFFLINE=false cargo audit --no-fetch --db /path/to/rustsec-advisory-database

      Loaded 85 security advisories (from /path/to/rustsec-advisory-database)
    Updating crates.io index

warning: couldn't update crates.io index: registry: failed to connect to github.com: Network is unreachable; class=Os (2)

Scanning Cargo.lock for vulnerabilities (245 crate dependencies)

     Success No vulnerable packages found

This is only a minor nuisance for me in my environment where there's no internet connection. I think this is a common situation in many CI systems where all sources are vendored and build offline. But things still work so other than a slight delay things work well. Nothing more than a slight eyesore!

tarcieri commented 4 years ago

The crates.io index is fetched to determine if any crates in Cargo.lock have been yanked.

That said, it should be easy to ensure it isn't when --no-fetch is used.

huangjj27 commented 2 years ago

It seems that a fetch = false config in ~/.cargo/audit.toml not work when I run just cargo audit. Should I place audit.toml in the crates' .cargo directories?

tarcieri commented 2 years ago

The correct locations for the configuration are either in ~/.cargo/audit.toml or .cargo/audit.toml of your project, following standard cargo conventions

huangjj27 commented 2 years ago

The correct locations for the configuration are either in ~/.cargo/audit.toml or .cargo/audit.toml of your project, following standard cargo conventions

Is it a bug if I still keep fetching when I have a ~/.config/audit.toml with fetch = false in it? It's strange that cargo audit gets my advisory db url but can't get the fetch config. here is my config:

$ cat ~/.cargo/audit.toml
[database]
url = "https://github.com.cnpmjs.org/rustsec/advisory-db.git"
#url = "https://gitclone.com/github.com/rustsec/advisory-db.git"
fetch = false
stale = true
$ cargo audit
    Fetching advisory database from `https://github.com.cnpmjs.org/rustsec/advisory-db.git`
      Loaded 372 security advisories (from /home/huangjj27/.cargo/advisory-db)
    Updating crates.io index
^C
$ cargo audit --no-fetch
      Loaded 372 security advisories (from /home/huangjj27/.cargo/advisory-db)
    Scanning Cargo.lock for vulnerabilities (226 crate dependencies)

(omit the vulnerabilities details)

error: 6 vulnerabilities found!
warning: 2 allowed warnings found
ijackson commented 1 year ago

I think cargo audit ought to have an --offline flag which disables all network activity (and fails if it has no useable cached data). And it ought to honour CARGO_NET_OFFLINE, which cargo --ofline and some other tools can set.