Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cargo deny doesn't check for all features #9880

Closed
ameknite opened this issue Sep 20, 2023 · 0 comments · Fixed by #10544
Closed

Cargo deny doesn't check for all features #9880

ameknite opened this issue Sep 20, 2023 · 0 comments · Fixed by #10544
Labels
A-Build-System Related to build systems or continuous integration C-Bug An unexpected or incorrect behavior

Comments

@ameknite
Copy link
Contributor

ameknite commented Sep 20, 2023
edited
Loading

What went wrong

While I was checking the licenses of the bevy dependencies.
I noticed that the 'cargo deny' in the 'dependencies.yaml' workflow doesn't check for all the features.

If you run in main: cargo deny --all-features check --hide-inclusion-graph

It will give you a lot of errors: license errors, duplicate crates, unmaintained advisories, security vulnerabilities, and yanked versions.

Additional information

Output 
error[rejected]: failed to satisfy license requirements
  ┌─ symphonia 0.5.3 (registry+https://github.com/rust-lang/crates.io-index):4:124 │ license = "MPL-2.0"
  │            ^^^^^^^
  │            │
  │            license expression retrieved via Cargo.toml `license`
  │            rejected: license is considered copyleft

error[rejected]: failed to satisfy license requirements
  ┌─ symphonia-bundle-flac 0.5.3 (registry+https://github.com/rust-lang/crates.io-index):4:124 │ license = "MPL-2.0"
  │            ^^^^^^^
  │            │
  │            license expression retrieved via Cargo.toml `license`
  │            rejected: license is considered copyleft

error[rejected]: failed to satisfy license requirements
  ┌─ symphonia-bundle-mp3 0.5.3 (registry+https://github.com/rust-lang/crates.io-index):4:124 │ license = "MPL-2.0"
  │            ^^^^^^^
  │            │
  │            license expression retrieved via Cargo.toml `license`
  │            rejected: license is considered copyleft

error[rejected]: failed to satisfy license requirements
  ┌─ symphonia-codec-aac 0.5.3 (registry+https://github.com/rust-lang/crates.io-index):4:124 │ license = "MPL-2.0"
  │            ^^^^^^^
  │            │
  │            license expression retrieved via Cargo.toml `license`
  │            rejected: license is considered copyleft

error[rejected]: failed to satisfy license requirements
  ┌─ symphonia-codec-adpcm 0.5.3 (registry+https://github.com/rust-lang/crates.io-index):4:124 │ license = "MPL-2.0"
  │            ^^^^^^^
  │            │
  │            license expression retrieved via Cargo.toml `license`
  │            rejected: license is considered copyleft

error[rejected]: failed to satisfy license requirements
  ┌─ symphonia-codec-pcm 0.5.3 (registry+https://github.com/rust-lang/crates.io-index):4:124 │ license = "MPL-2.0"
  │            ^^^^^^^
  │            │
  │            license expression retrieved via Cargo.toml `license`
  │            rejected: license is considered copyleft

error[rejected]: failed to satisfy license requirements
  ┌─ symphonia-codec-vorbis 0.5.3 (registry+https://github.com/rust-lang/crates.io-index):4:124 │ license = "MPL-2.0"
  │            ^^^^^^^
  │            │
  │            license expression retrieved via Cargo.toml `license`
  │            rejected: license is considered copyleft

error[rejected]: failed to satisfy license requirements
  ┌─ symphonia-core 0.5.3 (registry+https://github.com/rust-lang/crates.io-index):4:124 │ license = "MPL-2.0"
  │            ^^^^^^^
  │            │
  │            license expression retrieved via Cargo.toml `license`
  │            rejected: license is considered copyleft

error[rejected]: failed to satisfy license requirements
  ┌─ symphonia-format-isomp4 0.5.3 (registry+https://github.com/rust-lang/crates.io-index):4:124 │ license = "MPL-2.0"
  │            ^^^^^^^
  │            │
  │            license expression retrieved via Cargo.toml `license`
  │            rejected: license is considered copyleft

error[rejected]: failed to satisfy license requirements
  ┌─ symphonia-format-wav 0.5.3 (registry+https://github.com/rust-lang/crates.io-index):4:124 │ license = "MPL-2.0"
  │            ^^^^^^^
  │            │
  │            license expression retrieved via Cargo.toml `license`
  │            rejected: license is considered copyleft

error[rejected]: failed to satisfy license requirements
  ┌─ symphonia-metadata 0.5.3 (registry+https://github.com/rust-lang/crates.io-index):4:124 │ license = "MPL-2.0"
  │            ^^^^^^^
  │            │
  │            license expression retrieved via Cargo.toml `license`
  │            rejected: license is considered copyleft

error[rejected]: failed to satisfy license requirements
  ┌─ symphonia-utils-xiph 0.5.3 (registry+https://github.com/rust-lang/crates.io-index):4:124 │ license = "MPL-2.0"
  │            ^^^^^^^
  │            │
  │            license expression retrieved via Cargo.toml `license`
  │            rejected: license is considered copyleft

error[duplicate]: found 2 duplicate entries for crate 'hermit-abi'
    ┌─ /Users/ameknite/code/rust/repos/bevy/Cargo.lock:204:1204 │ ╭ hermit-abi 0.2.6 registry+https://github.com/rust-lang/crates.io-index
205 │ │ hermit-abi 0.3.1 registry+https://github.com/rust-lang/crates.io-index
    │ ╰──────────────────────────────────────────────────────────────────────^ lock entries

error[duplicate]: found 3 duplicate entries for crate 'memoffset'
    ┌─ /Users/ameknite/code/rust/repos/bevy/Cargo.lock:248:1248 │ ╭ memoffset 0.6.5 registry+https://github.com/rust-lang/crates.io-index
249 │ │ memoffset 0.7.1 registry+https://github.com/rust-lang/crates.io-index
250 │ │ memoffset 0.9.0 registry+https://github.com/rust-lang/crates.io-index
    │ ╰─────────────────────────────────────────────────────────────────────^ lock entries

error[duplicate]: found 2 duplicate entries for crate 'nix'
    ┌─ /Users/ameknite/code/rust/repos/bevy/Cargo.lock:266:1266 │ ╭ nix 0.25.1 registry+https://github.com/rust-lang/crates.io-index
267 │ │ nix 0.26.2 registry+https://github.com/rust-lang/crates.io-index
    │ ╰────────────────────────────────────────────────────────────────^ lock entries

error[duplicate]: found 2 duplicate entries for crate 'num-traits'
    ┌─ /Users/ameknite/code/rust/repos/bevy/Cargo.lock:277:1277 │ ╭ num-traits 0.1.43 registry+https://github.com/rust-lang/crates.io-index
278 │ │ num-traits 0.2.15 registry+https://github.com/rust-lang/crates.io-index
    │ ╰───────────────────────────────────────────────────────────────────────^ lock entries

error[duplicate]: found 2 duplicate entries for crate 'tracy-client'
    ┌─ /Users/ameknite/code/rust/repos/bevy/Cargo.lock:410:1410 │ ╭ tracy-client 0.15.2 registry+https://github.com/rust-lang/crates.io-index
411 │ │ tracy-client 0.16.1 registry+https://github.com/rust-lang/crates.io-index
    │ ╰─────────────────────────────────────────────────────────────────────────^ lock entries

error[unmaintained]: slice-deque is unmaintained
    ┌─ /Users/ameknite/code/rust/repos/bevy/Cargo.lock:360:1360 │ slice-deque 0.3.0 registry+https://github.com/rust-lang/crates.io-index
    │ ----------------------------------------------------------------------- unmaintained advisory detected
    │
    = ID: RUSTSEC-2020-0158
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0158
    = The author of the `slice-deque` crate is unresponsive and is not receiving security patches.

      Maintained alternatives:

      - [`slice-ring-buffer`](https://crates.io/crates/slice-ring-buffer)
    = Announcement: https://github.com/gnzlbg/slice_deque/issues/94
    = Solution: No safe upgrade is available!

error[unmaintained]: mach is unmaintained
    ┌─ /Users/ameknite/code/rust/repos/bevy/Cargo.lock:241:1241 │ mach 0.3.2 registry+https://github.com/rust-lang/crates.io-index
    │ ---------------------------------------------------------------- unmaintained advisory detected
    │
    = ID: RUSTSEC-2020-0168
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2020-0168
    = Last release was almost 4 years ago.

      Maintainer(s) seem to be completely unreachable.

      ## Possible Alternative(s)

      These may or may not be suitable alternatives and have not been vetted in any way;
      - [mach2](https://crates.io/crates/mach2) - direct fork
    = Announcement: https://github.com/fitzgen/mach/issues/63
    = Solution: No safe upgrade is available!

error[vulnerability]: SliceDeque::drain_filter can double drop an element if the predicate panics
    ┌─ /Users/ameknite/code/rust/repos/bevy/Cargo.lock:360:1360 │ slice-deque 0.3.0 registry+https://github.com/rust-lang/crates.io-index
    │ ----------------------------------------------------------------------- security vulnerability detected
    │
    = ID: RUSTSEC-2021-0047
    = Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0047
    = Affected versions of the crate incremented the current index of the drain filter
      iterator *before* calling the predicate function `self.pred`.

      If the predicate function panics, it is possible for the last element in the
      iterator to be dropped twice.
    = Announcement: https://github.com/gnzlbg/slice_deque/issues/90
    = Solution: No safe upgrade is available!

error[yanked]: detected yanked crate (try `cargo update -p hermit-abi`)
    ┌─ /Users/ameknite/code/rust/repos/bevy/Cargo.lock:205:1205 │ hermit-abi 0.3.1 registry+https://github.com/rust-lang/crates.io-index
    │ ---------------------------------------------------------------------- yanked version
@ameknite ameknite added C-Bug An unexpected or incorrect behavior S-Needs-Triage This issue needs to be labelled labels Sep 20, 2023
@alice-i-cecile alice-i-cecile added A-Build-System Related to build systems or continuous integration and removed S-Needs-Triage This issue needs to be labelled labels Sep 20, 2023
@ameknite ameknite mentioned this issue Nov 13, 2023
Merged
github-merge-queue bot pushed a commit that referenced this issue Nov 14, 2023
@ameknite
check for all-features with cargo-deny (#10544)
56d8a0e 
# Objective

Fix #9880

## Solution

- Add all-features flag 
- Allow "MPL-2.0" license for the
[Symphonia](https://github.com/pdeljanov/Symphonia) crates
- Update dependencies unmaintained or with vulnerabilities:
RustAudio/rodio#517 ,
LiquidityC/slice_ring_buffer#7
rdrpenguin04 pushed a commit to rdrpenguin04/bevy that referenced this issue Jan 9, 2024
@ameknite
check for all-features with cargo-deny (bevyengine#10544)
bbe4e91 
# Objective

Fix bevyengine#9880

## Solution

- Add all-features flag 
- Allow "MPL-2.0" license for the
[Symphonia](https://github.com/pdeljanov/Symphonia) crates
- Update dependencies unmaintained or with vulnerabilities:
RustAudio/rodio#517 ,
LiquidityC/slice_ring_buffer#7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-Build-System Related to build systems or continuous integration C-Bug An unexpected or incorrect behavior
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

check for all-features with cargo-deny ameknite/bevy
2 participants
@alice-i-cecile @ameknite