Json output does not respect deny options

[alan-signal]

0.14.1

Reproduction steps

1. Create a repo with a warning, e.g.:

[dependencies]
cpuid-bool = "0.2"

2. Run $cargo audit and see the warning.

3. Promote that warning to an error and see the error $cargo audit --deny warnings.

4. Now run with and without --deny warnings and --json.

$ cargo audit --json
$ cargo audit --deny warnings --json

Expect

The warning to be promoted to an error in the json.

Actual

No difference is seen, it remains a warning:

  "warnings": {
    "unmaintained": [
      {
        "kind": "unmaintained",
        "package": {
          "name": "cpuid-bool",
          "version": "0.2.0",

Additionally, you can reproduce this with a .cargo/audit.toml:

 [output]
 deny = ["unmaintained", "unsound", "yanked"]
 quiet = false

Consequences

The audit-check which uses --json cannot be made to fail on warnings. See: actions-rs/audit-check#132 (audit-check requires that it is solved for the .cargo/audit.toml case.)

I have not investigated whether other relevant command line/audit.toml options are respected in json output when they should be.

An MCVE is here: alan-signal/cargo-audit-action#1 with the issue as seen with audit-check.

[Ekleog-NEAR]

I’m hitting this too, it seems like it’s not possible to have the audit-check action deny warnings currently, unfortunately. I guess I’ll stay with a hand-rolled audit action, even though it’s sad considering the work that seems to have been put into the audit-check action :)

[Shnatsel]

In the latest release of rustsec I have aligned warnings to contain all the information that errors do, so this should not be too hard to fix now.

I'm not sure I will be able to get around to fixing this myself soon, though. A PR would be welcome.