Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: Check for advisories doesn't seem to work on 0.14.19 #641

Closed
ghost opened this issue Mar 22, 2024 · 12 comments · Fixed by #642
Closed

Bug: Check for advisories doesn't seem to work on 0.14.19 #641

ghost opened this issue Mar 22, 2024 · 12 comments · Fixed by #642
Labels
bug Something isn't working

Comments

@ghost
Copy link

ghost commented Mar 22, 2024

Describe the bug

After having installed the latest version of cargo-deny (0.14.19) and running cargo deny check advisories in a Rust workspace, I'm met with the following error:

[ERROR] failed to fetch advisory database https://github.com/rustsec/advisory-db: An IO error occurred when talking to the server: error sending request for url (https://github.com/rustsec/advisory-db/info/refs?service=git-upload-pack): client error (Connect)

I'm not sure what the problem is since I can download the file with curl:

curl https://github.com/rustsec/advisory-db/info/refs?service=git-upload-pack --output foo

The used db-urls in deny.toml is the same as in the book.
I get the same issue when using the deny.toml from this repository as well:
https://github.com/EmbarkStudios/cargo-deny/blob/main/deny.toml

I've encountered this problem while using both Ubuntu 22.04 (as OS) and inside a rust:1.76-slim docker container.

To reproduce

  1. Install the latest version of cargo-deny:
    cargo install --version 0.14.19 cargo-deny
  2. Position yourself inside a Rust project with a deny.toml. You can grab an example from here: https://github.com/EmbarkStudios/cargo-deny/blob/main/deny.toml
  3. Run:
    cargo deny check advisories

cargo-deny version

cargo-deny 0.14.19

What OS were you running cargo-deny on?

Linux

Additional context

No response

@ghost ghost added the bug Something isn't working label Mar 22, 2024
@Jake-Shadle
Copy link
Member

Can you confirm that older versions still work? I'm unable to repro this so feels like a client side issue (behind proxy or something?).

@hmacias-avaya
Copy link

0.14.14 working ok for me. A colleague running 0.14.19 is seeing this same issue

@hmacias-avaya
Copy link

..after upgrading it fails for me as well. I'm not behind any vpn or proxy:

2024-03-22 15:15:13 [INFO] gathered 346 crates in 449ms
2024-03-22 15:15:13 [ERROR] failed to fetch advisory database https://github.com/rustsec/advisory-db: failed to prepare fetch: An IO error occurred when talking to the server: error sending request for url (https://github.com/rustsec/advisory-db/info/refs?service=git-upload-pack)

@hmacias-avaya
Copy link

using 0.14.19 shows that issue. Compiling from current head 621ff39 seems to work just fine 🤷

@Jake-Shadle
Copy link
Member

That does not make sense, there was no change between them that would affect this.

@ilpanich
Copy link

It is a little bit weird guys: on my laptop running archlinux it works perfectly; instead when I try to build with the official rust docker image 1.7.0-slim-bookworm I got the issue.
Version 0.14.18 works on 1.7.0-slim-bookworm.

@hmacias-avaya
Copy link

I know it still sounds weird(er), but if I install version 0.14.19:

cargo install cargo-deny --version 0.14.19 --force 

and do a cargo deny check, I see the same error every single time.

If I build from source on commit c16388b (tag: 0.14.19) then it works fine for me both building in release and non-release modes.

@amousset
Copy link

I could reproduce the issue (both with cargo deny and cargo audit), I 'm investigating.

@Jake-Shadle
Copy link
Member

I can repro this, I believe I know what is happening.

@Jake-Shadle
Copy link
Member

The issue is that gix-transport 0.41.3, or one of the updated dependencies it uses, has a bug. Again, the recommended way to install cargo-deny, as stated in the README, is to use --locked when running cargo install, as otherwise bugs or semver breakages which are not tested in CI can occur.

@ghost
Copy link
Author

ghost commented Mar 25, 2024

Thank you, @Jake-Shadle for the quick response and fix, I've followed through and it was quite the rabbit hole. I can confirm cargo-deny 0.14.20 works, though I think I will move to installing cargo-deny with --lock into the image.

@yurnery
Copy link

yurnery commented Apr 24, 2024

  1. clear the allow scope in deny.toml
  2. run cargo deny check, it will fail.
  3. fill licenses in the allow scope again.
  4. it works.

It works for me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants