Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CICD: Run cargo audit #2569

Merged
merged 1 commit into from
May 24, 2023
Merged

CICD: Run cargo audit #2569

merged 1 commit into from
May 24, 2023

Conversation

Enselic
Copy link
Collaborator

@Enselic Enselic commented May 14, 2023

This CI check will fail if there are crates with known security vulnerabilities in Cargo.lock.

It will not fail because of warnings. We currently have two warnings:

$ cargo audit
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 543 security advisories (from /home/martin/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (184 crate dependencies)
Crate:     encoding
Version:   0.2.33
Warning:   unmaintained
Title:     `encoding` is unmaintained
Date:      2021-12-05
ID:        RUSTSEC-2021-0153
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0153
Dependency tree:
encoding 0.2.33
└── bat 0.23.0

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
└── grep-cli 0.1.7
    └── bat 0.23.0

warning: 2 allowed warnings found

Note that cargo-audit is installed by default on GitHub's Ubuntu runners.

I've run this in my own projects for quite some time, and it works well in my experience.

If we run into a dep that has a vulnerability but no known fix, we can temporarily disable this check again. But it is good practice to run cargo-audit when possible.

@Enselic
CICD.yml: Run cargo audit
d676077 
This CI check will fail if there are crates with known security vulnerabilities in Cargo.lock.

It will not fail because of warnings. We currently have two warnings.

Note that cargo-audit is installed by default on GitHub's Ubuntu
runners.
eth-p
eth-p approved these changes May 23, 2023
View reviewed changes
Copy link
Collaborator

@eth-p eth-p left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

@Enselic Enselic merged commit 7639e8b into sharkdp:master May 24, 2023
19 checks passed
@Enselic Enselic deleted the cargo-audit branch May 24, 2023 03:43
@sharkdp
Copy link
Owner

sharkdp commented May 25, 2023

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@keith-hall keith-hall keith-hall approved these changes

@eth-p eth-p eth-p approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Enselic @sharkdp @keith-hall @eth-p