Run cargo audit in CI?

[GarkGarcia]

Maybe we could run cargo audit on the CI for security audits. Just run it on my machine:

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 73 security advisories (from ~/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (79 crate dependencies)
error: Vulnerable crates found!

ID:       RUSTSEC-2020-0006
Crate:    bumpalo
Version:  3.2.0
Date:     2020-03-24
URL:      https://rustsec.org/advisories/RUSTSEC-2020-0006
Title:    Flaw in `realloc` allows reading unknown memory
Solution:  upgrade to >= 3.2.1
Dependency tree:
bumpalo 3.2.0
└── wasm-bindgen-backend 0.2.59
    └── wasm-bindgen-macro-support 0.2.59
        └── wasm-bindgen-macro 0.2.59
            └── wasm-bindgen 0.2.59
                ├── web-sys 0.3.36
                │   └── plotters 0.2.12
                │       └── criterion 0.3.1
                │           └── flurry 0.2.1
                ├── plotters 0.2.12
                └── js-sys 0.3.36
                    ├── web-sys 0.3.36
                    └── plotters 0.2.12

warning: 1 warning found

Crate:    bumpalo
Version:  3.2.0
Warning:  package has been yanked!

error: 1 vulnerability found!
warning: 1 warning found!

[jonhoo]

Hmm, maybe, though it's unclear to me how much it helps on this crate since we do not check in the Cargo.lock file. We may want to run something like cargo-outdated so we know when we are holding back updates due to new major versions, but point releases and such I don't think should be too much of a concern.

[GarkGarcia]

Hmm, maybe, though it's unclear to me how much it helps on this crate since we do not check in the Cargo.lock file. We may want to run something like cargo-outdated so we know when we are holding back updates due to new major versions, but point releases and such I don't think should be too much of a concern.

Seems quite reasonable to me.