From 71a20dc18cf968830899c9af8d0c99b3e355e3ed Mon Sep 17 00:00:00 2001 From: Jake Shadle Date: Fri, 5 Aug 2022 09:48:36 +0200 Subject: [PATCH] Prep release (#444) * Update CHANGELOG * Update crates --- CHANGELOG.md | 11 +++++++++ Cargo.lock | 50 +++++++++++++++++++++++---------------- Cargo.toml | 14 +++++++---- src/advisories/helpers.rs | 23 ++++++++++-------- src/lib.rs | 2 +- src/sources.rs | 2 +- 6 files changed, 64 insertions(+), 38 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3071cf83..a87a2566 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] - ReleaseDate +### Added +- [PR#431](https://github.com/EmbarkStudios/cargo-deny/pull/432) resolved [#19](https://github.com/EmbarkStudios/cargo-deny/issues/19) by adding support for an allow list for build scripts, allowing a project to opt in (or deny completely) build scripts on a case by case basis rather than blanket allowing all build scripts. See the [`bans.allow-build-scripts`](https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html#the-allow-build-scripts-field-optional) config option for more details. Thanks [@Stupremee](https://github.com/Stupremee)! + +### Fixed +- [PR#430](https://github.com/EmbarkStudios/cargo-deny/pull/430) fixed an issue where local/git crates could be flagged as "yanked" if they shared a name and version with a crates.io crate that was yanked from the registry, resolving [#441](https://github.com/EmbarkStudios/cargo-deny/issues/441) before it was even opened. Thanks [@khuey](https://github.com/khuey)! +- [PR#440](https://github.com/EmbarkStudios/cargo-deny/pull/440) fixed [#438](https://github.com/EmbarkStudios/cargo-deny/issues/438) by ensuring git cli output was piped properly rather than polluting the output of cargo-deny itself. +- [PR#443](https://github.com/EmbarkStudios/cargo-deny/pull/443) fixed [#442](https://github.com/EmbarkStudios/cargo-deny/issues/442) by removing the signature check on the HEAD commit an advisory databases. This check didn't add meaningful security and could cause spurious failures if an unsigned commit was pushed to an advisory database. + +### Changed +- [PR#431](https://github.com/EmbarkStudios/cargo-deny/pull/431) updated clap to 3.2. Thanks [@epage](https://github.com/epage)! + ## [0.12.1] - 2022-05-19 ### Fixed - [PR#426](https://github.com/EmbarkStudios/cargo-deny/pull/426) fixed an oversight in [PR#422](https://github.com/EmbarkStudios/cargo-deny/pull/422), fully resolving [#412](https://github.com/EmbarkStudios/cargo-deny/issues/412) by allowing both `https` and `ssh` URLs for advisory databases. Thanks [@jbg](https://github.com/jbg)! diff --git a/Cargo.lock b/Cargo.lock index 6022f929..3d4d4ac5 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -147,9 +147,9 @@ dependencies = [ [[package]] name = "cargo" -version = "0.61.1" +version = "0.63.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f76f22dfcbc8e5aaa4e150373354723efe22b6b2280805f1fb6b1363005e7bab" +checksum = "7d092a7c3e3aaa66469b2233b58c0bf330419dad9c423165f2b9cf1c57dc9f2e" dependencies = [ "anyhow", "atty", @@ -173,6 +173,7 @@ dependencies = [ "humantime", "ignore", "im-rc", + "indexmap", "itertools", "jobserver", "lazy_static", @@ -185,6 +186,7 @@ dependencies = [ "opener", "openssl", "os_info", + "pathdiff", "percent-encoding", "rustc-workspace-hack", "rustfix", @@ -241,9 +243,9 @@ dependencies = [ [[package]] name = "cargo-lock" -version = "7.1.0" +version = "8.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6c408da54db4c50d4693f7e649c299bc9de9c23ead86249e5368830bb32a734b" +checksum = "3c4c54d47a4532db3494ef7332c257ab57b02750daae3250d49e01ee55201ce8" dependencies = [ "semver", "serde", @@ -262,9 +264,9 @@ dependencies = [ [[package]] name = "cargo-util" -version = "0.1.2" +version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a51c783163bdf4549820b80968d386c94ed45ed23819c93f59cca7ebd97fe0eb" +checksum = "f168b1f0481f7d340da591f5b5d0f2eb7c9eae4db5c6830878f26bf2fa80df39" dependencies = [ "anyhow", "core-foundation", @@ -284,9 +286,9 @@ dependencies = [ [[package]] name = "cargo_metadata" -version = "0.14.2" +version = "0.15.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4acbb09d9ee8e23699b9634375c72795d095bf268439da88562cf9b501f181fa" +checksum = "3abb7553d5b9b8421c6de7cb02606ff15e0c6eea7d8eadd75ef013fd636bec36" dependencies = [ "camino", "cargo-platform", @@ -579,9 +581,9 @@ dependencies = [ [[package]] name = "cvss" -version = "1.0.2" +version = "2.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "829862dabeab142ae0efd558d42d8fd874659268ccd810809ac6f1ee6bfcbd3f" +checksum = "7ec6a2f799b0e3103192800872de17ee1d39fe0c598628277b9b012f09b4010f" dependencies = [ "serde", ] @@ -899,9 +901,9 @@ dependencies = [ [[package]] name = "krates" -version = "0.10.1" +version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1811f463f5dfcfb1a4f35218b2bd7c5099ffc17562f02dfa94df06df1335e2ab" +checksum = "a857d4b6450fbc2b85c03684b2beae51916a5a90e2fb5f9c2b8acc920ad29e49" dependencies = [ "cargo_metadata", "cfg-expr", @@ -911,11 +913,11 @@ dependencies = [ [[package]] name = "kstring" -version = "1.0.6" +version = "2.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8b310ccceade8121d7d77fee406160e457c2f4e7c7982d589da3499bc7ea4526" +checksum = "ec3066350882a1cd6d950d055997f379ac37fd39f81cd4d8ed186032eb3c5747" dependencies = [ - "serde", + "static_assertions", ] [[package]] @@ -1156,6 +1158,12 @@ version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0c520e05135d6e763148b6426a837e239041653ba7becd2e538c076c738025fc" +[[package]] +name = "pathdiff" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8835116a5c179084a830efb3adc117ab007512b535bc1a21c991d3b32a6b44dd" + [[package]] name = "percent-encoding" version = "2.1.0" @@ -1180,9 +1188,9 @@ checksum = "1df8c4ec4b0627e53bdf214615ad287367e482558cf84b109250b37464dc03ae" [[package]] name = "platforms" -version = "2.0.0" +version = "3.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e8d0eef3571242013a0d5dc84861c3ae4a652e56e12adf8bdc26ff5f8cb34c94" +checksum = "d8ec293fd25f7fcfeb7c70129241419a62c6200a26a725f680aff07c91d0ed05" dependencies = [ "serde", ] @@ -1363,9 +1371,9 @@ dependencies = [ [[package]] name = "rustsec" -version = "0.25.1" +version = "0.26.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d6136976fbabcd3ca37a12ae8ecc3408e8d7a94916d1cabdabd86aa4464e0887" +checksum = "1be23e93b1c670ea8d07dc9eb8a945bd8e760b207ce24c48da9cd68ef20f33eb" dependencies = [ "cargo-lock", "cvss", @@ -1668,9 +1676,9 @@ dependencies = [ [[package]] name = "toml_edit" -version = "0.13.4" +version = "0.14.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "744e9ed5b352340aa47ce033716991b5589e23781acb97cad37d4ea70560f55b" +checksum = "5376256e44f2443f8896ac012507c19a012df0fe8758b55246ae51a2279db51f" dependencies = [ "combine", "indexmap", diff --git a/Cargo.toml b/Cargo.toml index 0b7220f0..e819ad8b 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -28,7 +28,11 @@ path = "src/cargo-deny/main.rs" default = ["vendored-openssl"] # Allows the use of a vendored version openssl when compiling libgit, which allows # us to compile static executables (eg musl) and avoid system dependencies -vendored-openssl = ["cargo?/vendored-openssl", "crates-index/vendored-openssl", "git2/vendored-openssl"] +vendored-openssl = [ + "cargo?/vendored-openssl", + "crates-index/vendored-openssl", + "git2/vendored-openssl", +] # Allows embedding cargo as a library so that we can run in minimal (eg container) # environments that don't need to have cargo/rust installed on them for cargo-deny # to still function @@ -46,7 +50,7 @@ atty = "0.2" # Used to track various things during check runs bitvec = { version = "1.0", features = ["alloc"] } # Allows us to do eg cargo metadata operations without relying on an external cargo -cargo = { version = "0.61", optional = true } +cargo = { version = "0.63", optional = true } # Argument parsing clap = { version = "3.2.1", features = ["derive", "env"] } # Used for diagnostic reporting @@ -65,20 +69,20 @@ git2 = "0.14" # We need to figure out HOME/CARGO_HOME in some cases home = "0.5" # Provides graphs on top of cargo_metadata -krates = { version = "0.10", features = ["targets"] } +krates = { version = "0.11", features = ["targets"] } # Log macros log = "0.4" # Moar brrrr rayon = "1.4" # Used for interacting with advisory databases -rustsec = { version = "0.25", default-features = false } +rustsec = { version = "0.26", default-features = false } # Parsing and checking of versions/version requirements semver = "1.0" # Gee what could it be serde = { version = "1.0", features = ["derive"] } serde_json = "1.0" # Avoid some heap allocations when we likely won't need them -smallvec = "1.6" +smallvec = "1.9" # Used for parsing and checking SPDX license expressions spdx = "0.8" # Timestamp emission diff --git a/src/advisories/helpers.rs b/src/advisories/helpers.rs index 8b61a688..1ac57df0 100644 --- a/src/advisories/helpers.rs +++ b/src/advisories/helpers.rs @@ -1,7 +1,7 @@ use crate::{Krate, Krates}; use anyhow::{Context, Error}; use log::{debug, info}; -pub use rustsec::{advisory::Id, lockfile::Lockfile, Database, Vulnerability}; +pub use rustsec::{advisory::Id, Database, Lockfile, Vulnerability}; use std::path::{Path, PathBuf}; use url::Url; @@ -659,7 +659,7 @@ pub(crate) fn krate_for_pkg<'a>( .map(|(ind, krate)| (ind, &krate.krate)) } -pub use rustsec::warning::{Kind, Warning}; +pub use rustsec::{Warning, WarningKind}; pub struct Report { pub vulnerabilities: Vec, @@ -685,7 +685,6 @@ impl Report { // any here target_arch: None, target_os: None, - package_scope: None, // We handle the severity ourselves severity: None, // We handle the ignoring of particular advisory ids ourselves @@ -728,9 +727,9 @@ impl Report { } match kind { - Kind::Notice => notices.append(&mut wi), - Kind::Unmaintained => unmaintained.append(&mut wi), - Kind::Unsound => unsound.append(&mut wi), + WarningKind::Notice => notices.append(&mut wi), + WarningKind::Unmaintained => unmaintained.append(&mut wi), + WarningKind::Unsound => unsound.append(&mut wi), _ => unreachable!(), } } @@ -745,12 +744,16 @@ impl Report { } } - pub fn iter_warnings(&self) -> impl Iterator { + pub fn iter_warnings(&self) -> impl Iterator { self.notices .iter() - .map(|wi| (Kind::Notice, wi)) - .chain(self.unmaintained.iter().map(|wi| (Kind::Unmaintained, wi))) - .chain(self.unsound.iter().map(|wi| (Kind::Unsound, wi))) + .map(|wi| (WarningKind::Notice, wi)) + .chain( + self.unmaintained + .iter() + .map(|wi| (WarningKind::Unmaintained, wi)), + ) + .chain(self.unsound.iter().map(|wi| (WarningKind::Unsound, wi))) } } diff --git a/src/lib.rs b/src/lib.rs index cc28878f..d9cb6527 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -94,7 +94,7 @@ pub mod sources; pub use cfg::{Spanned, UnvalidatedConfig}; use krates::cm; pub use krates::{DepKind, Kid, Utf8PathBuf}; -pub use rustsec::package::source::SourceId; +pub use rustsec::package::SourceId; /// The possible lint levels for the various lints. These function similarly /// to the standard [Rust lint levels](https://doc.rust-lang.org/rustc/lints/levels.html) diff --git a/src/sources.rs b/src/sources.rs index fab86dc9..ca511d1d 100644 --- a/src/sources.rs +++ b/src/sources.rs @@ -71,7 +71,7 @@ pub fn check(ctx: crate::CheckCtx<'_, ValidConfig>, mut sink: ErrorSink) { } else if source.is_git() { // Ensure the git source has at least the minimum specification if let Some((min, cfg_coord)) = &min_git_spec { - pub use rustsec::package::source::GitReference; + pub use rustsec::package::GitReference; let spec = source .git_reference()