Merge pull request #742 from rustsec/cargo-audit-bin-tweaks

`rustsec` and `cargo audit` release preparation
rustsec · Oct 31, 2022 · 3274443 · 3274443
2 parents f863041 + b49542e
commit 3274443
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 8 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/cargo-audit/CHANGELOG.md b/cargo-audit/CHANGELOG.md
@@ -4,6 +4,23 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 0.17.3 (UNRELEASED)
+### Added
+
+ - `cargo audit bin` now attempts to detect dependencies in binaries not built with [`cargo auditable`](https://github.com/rust-secure-code/cargo-auditable) by parsing the panic messages ([#729]). This only detects about a half of the dependency list and never detects C code such as OpenSSL, but works on any Rust binaries built with `cargo`.
+ - Added integration tests for the `--deny=warnings` flag.
+
+### Fixed
+
+ - `cargo audit bin --deny=warnings` no longer exits after finding the first binary with warnings.
+
+### Changed
+
+ - Up to 5x faster `cargo audit bin` when scanning multiple files thanks to caching crates.io index lookups (implemented in `rustsec` crate).
+ - Notices about `cargo audit` or `rustsec` will now result in a scanning error being reported (exit code 2) as opposed to reporting them as vulnerabilities in the scanned binary (exit code 1). They are treated as warnings by default, so `--deny=warnings` is required to observe the new behavior.
+
+[#729]: https://github.com/rustsec/rustsec/pull/729
+
 ## 0.17.2 (2022-10-07)
 ### Changed
 

diff --git a/cargo-audit/Cargo.toml b/cargo-audit/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name         = "cargo-audit"
 description  = "Audit Cargo.lock for crates with security vulnerabilities"
-version      = "0.17.2"
+version      = "0.17.3"
 authors      = ["Tony Arcieri <bascule@gmail.com>"]
 license      = "Apache-2.0 OR MIT"
 homepage     = "https://rustsec.org"
@@ -20,7 +20,7 @@ maintenance = { status = "actively-developed" }
 abscissa_core = "0.6"
 clap = "3"
 home = "0.5"
-rustsec = { version = "0.26", features = ["dependency-tree"], path = "../rustsec" }
+rustsec = { version = "0.26.3", features = ["dependency-tree"], path = "../rustsec" }
 serde = { version = "1", features = ["serde_derive"] }
 serde_json = "1"
 thiserror = "1"

diff --git a/cargo-audit/src/auditor.rs b/cargo-audit/src/auditor.rs
@@ -175,7 +175,7 @@ impl Auditor {
             .presenter
             .should_exit_with_failure_due_to_self(&self.self_advisories())
         {
-            summary.vulnerabilities_found = true;
+            summary.errors_encountered = true;
         }
         summary
     }

diff --git a/rustsec/CHANGELOG.md b/rustsec/CHANGELOG.md
@@ -4,9 +4,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## Unreleased
+## 0.26.3 (Unreleased)
 ### Added
-- `registry::CachedIndex` which allows efficiently scanning multiple `Cargo.lock` files or binaries.
+- `registry::CachedIndex` which is orders of magnitude faster than `registry::Index` when scanning multiple `Cargo.lock` files or binaries ([#730])
+
+[#730]: https://github.com/rustsec/rustsec/pull/730
 
 ## 0.26.2 (2022-08-15)
 ### Fixed

diff --git a/rustsec/Cargo.toml b/rustsec/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name         = "rustsec"
 description  = "Client library for the RustSec security advisory database"
-version      = "0.26.2" # Also update html_root_url in lib.rs when bumping this
+version      = "0.26.3"
 authors      = ["Tony Arcieri <bascule@gmail.com>"]
 license      = "Apache-2.0 OR MIT"
 homepage     = "https://rustsec.org"