-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for rustsec advisories #62
Conversation
...And fix our own!
@repi not really looking for more than a sanity check on the general interface and config additions and changes, which can be mostly seen from the README.md and CHANGELOG.md changes I made. |
@Jake-Shadle ok will take a look |
CHANGELOG.md
Outdated
- [PR#62](https://github.com/EmbarkStudios/cargo-deny/pull/62) Fixed [#56](https://github.com/EmbarkStudios/cargo-deny/issues/56), the `[metadata]` section in `Cargo.lock` is now gone in nightly to improve merging, the previous reporting mechanism that required this section has been reworked. | ||
|
||
### Changed | ||
- Renamed the `<which>` options for `cargo deny check <which>` from `ban` => `bans` and `license` => `licenses` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a pretty big breaking change if someone is running it in CI, but not sure if we can highlight it more. And we are not at 1.0 yet
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yah, this just made it more consistent with the configuration names and everything else. But I can instead make it have both the old and new and instead mark them as deprecated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would be cleaner, and doesn't hurt anything right now. And good to get into the practice of backwards compatibility / deprecation.
@@ -17,17 +17,16 @@ track of certain things, especially as a project evolves over time, which is wha | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also mention security advisories and unmaintained crates up here on the top level? Think it would be great to get a good overview
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, definitely!
README.md
Outdated
#### The `db-path` field | ||
|
||
Path to the local copy of advisory database's git repo (default: ~/.cargo/advisory-db) | ||
|
||
#### The `db-url` field | ||
|
||
URL to the advisory database's git repo (default: https://github.com/RustSec/advisory-db) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When reading this was a bit unclear to me if these are required, optional or why/when one would want or need to set them
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yah I should mark them as optional, I just supported it because cargo audit also supports it. And you could have private internal databases.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make sense!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a few comments inline, but looks good!
This PR adds a new
advisories
check and config section, allowing cargo-deny to fetch an advisory database (default https://github.com/RustSec/advisory-db) and check for security vulnerabilities, unmaintained crates, and security notices.Resolves: #18
Resolves: #23
Resolves: #44
Resolves: #56