Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test advisory? #158

Closed
jsgf opened this issue Sep 11, 2019 · 2 comments

Comments

@jsgf
Copy link

@jsgf jsgf commented Sep 11, 2019

Is there a test package with a test advisory so that an advisory reporting pipeline can be tested? I'm thinking of something along the lines of the EICAR test virus signature to test a malware detection pipeline.

The advisory would have a unique tag and/or category so that it can be unambiguously identified as a test for which no action needs to be taken. (Or maybe there could be multiple test advisories with different properties but sharing the same unambiguous "this is a test" marker.)

I could use a real package with a real advisory, but I'd be concerned that it would interfere with other dependencies, and it wouldn't be clear that it was just there for a test.

@tarcieri

This comment has been minimized.

Copy link
Member

@tarcieri tarcieri commented Sep 17, 2019

Sounds like a good idea. I'd suggest creating a clearly labeled "test crate", e.g. rustsec-test-crate, and file a single test advisory against that. Perhaps we could create two versions of the crate, one which is "vulnerable" and one which is "unaffected".

@tarcieri tarcieri closed this in 0b63779 Oct 9, 2019
@tarcieri

This comment has been minimized.

Copy link
Member

@tarcieri tarcieri commented Oct 9, 2019

Test advisory has been created: RUSTSEC-2019-0024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.