-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recording violations with non-binary audit criteria #446
Comments
Ah interesting. So the idea here is that cargo-vet should apply modus tollens on I imagine it should also be pretty straightforward to allow @mystor WDYT? |
I did some testing and it seems that
[[audits.byteorder]]
who = "David Koloski <djkoloski@gmail.com>"
criteria = "safe-to-run"
violation = "^1.4.3"
[package]
name = "second"
version = "0.1.0"
edition = "2021"
[dependencies]
byteorder = "=1.4.3"
[imports.first]
url = "http://localhost:8000/supply-chain/audits.toml"
[policy.byteorder]
criteria = "safe-to-deploy"
[[exemptions.byteorder]]
version = "1.4.3"
criteria = "safe-to-deploy" This yields the error we'd expect:
However, swapping these for custom criteria:
[criteria.safe-to-deploy-2]
description = "safe-to-deploy"
implies = "safe-to-run-2"
[criteria.safe-to-run-2]
description = "safe-to-run-2"
[[audits.byteorder]]
who = "David Koloski <djkoloski@gmail.com>"
criteria = "safe-to-run-2"
violation = "^1.4.3"
[criteria.safe-to-deploy-2]
description = "safe-to-deploy"
implies = "safe-to-run-2"
[criteria.safe-to-run-2]
description = "safe-to-run-2"
[imports.first]
url = "http://localhost:8000/supply-chain/audits.toml"
[policy.byteorder]
criteria = "safe-to-deploy-2"
[[exemptions.byteorder]]
version = "1.4.3"
criteria = "safe-to-deploy-2" Passes the check:
But also unexpectedly passes if the criteria is set to |
This error with [imports.first]
url = "http://localhost:8000/supply-chain/audits.toml"
[imports.first.criteria-map]
safe-to-deploy-2 = "safe-to-deploy-2"
safe-to-run-2 = "safe-to-run-2" You can also use this to change how criteria are mapped for the default criteria, though there is an identity mapping by-default. In terms of your original request around combining violations and audits into a single criteria, this would be potentially possible, but not the easiest to implement, as we currently always require only one key, and don't allow combo entries like this. If we did add something like that, it'd also be odd as the It would be interesting to learn more about how you want to use violations for these ub criteria. Right now our story around violations is one of the weakest stories (as others haven't had a use for them yet, so they haven't been exercised much), and it'd be good to learn more about how people who want to use them expect them to act. |
If I had to guess, I might interpret the goal here to be to affirmatively record the discovered UB issues and ensure someone else doesn't come along and patch the audit hole with a less-careful review. If that's the case though, you probably also want to do the work to specify a full version range rather than limiting the violation to the precise version you audited. Otherwise, it won't apply to the next trivial point release, even though the issue is almost certainly still there. |
Our goal is basically just to catch inconsistencies, and catch them eagerly. If we didn't use violations when recording these kinds of continuous criteria, we might have one of our imports provide (e.g.) One additional note is that it's currently pretty painful to reverse-engineer violation version ranges. We usually sit down with a specific version of a crate, review the code, and find some issues. To record a violation properly, we then additionally need to either:
I think it would be helpful to provide some tooling for bisecting violations, and it's a superset of what |
That bisection facility seems reasonable to add, feel free to file an issue for it. I'm also curious as to whether eagerly determining the violation range is the optimal process for you, or whether that's just an artifact of the cargo-vet workflow which we could consider improving. It seems to me that it might be enough to say "at least some versions of crate foo are ub-risk-3, including version X we considered importing" — and then defer the question of whether the problem exists in version Y to the moment where somebody actually tries to import version Y. Would this be preferable? |
Hm, I think that would actually be very helpful. If we could just say "a violation was introduced at some point between prior review and current review", then that would be sufficient for us. Maybe that could be used to prioritize which crates to audit using |
On Fuchsia, we'd like to record crate audits for UB risk on a scale from 0 (no unsafe code) to 4 (hard to avoid UB). We have that set up like this:
Which works well, we can record our audits by picking the strictest criteria that a crate satisfies. However, this makes it tricky to record violations:
Right now, it looks like we'll have to record violations at every lower
ub-risk-
level than the one we signed off on. Ideally, we'd be able to opt into contrapositivity withimplies
: "ub-risk-0
impliesub-risk-1
" also means that "notub-risk-1
implies notub-risk-0
". That would bring us down to needing a single extra violation, which would be easier to handle.If we could do that, then it would also be helpful for us to record the violation along with the criteria like:
The text was updated successfully, but these errors were encountered: