Ignore default source when printing diags (#379)

* Fix issue with synthesized crates.io source

* Update CHANGELOG

* Update deps and fix deny config

CHANGELOG.md

@@ -8,6 +8,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- next-header -->
 ## [Unreleased] - ReleaseDate
+### Fixed
+- [PR#379](https://github.com/EmbarkStudios/cargo-deny/pull/379) fixed [#378](https://github.com/EmbarkStudios/cargo-deny/issues/378) which was an edge case where the `sources` check was executed against a crate that didn't use any crates from crates.io, and the config file was shorter than the crates.io URL.
+
 ## [0.10.2] - 2021-11-21
 ### Fixed
 - [PR#376](https://github.com/EmbarkStudios/cargo-deny/pull/376) fixed the JSON formatting when using `--format json` output option. Thanks [@dnaka91](https://github.com/dnaka91)!

deny.toml

@@ -14,9 +14,6 @@ unmaintained = "deny"
 notice = "deny"
 unsound = "deny"
 ignore = [
-    # askalono uses failure, which is now unmaintained
-    "RUSTSEC-2019-0036",
-    "RUSTSEC-2020-0036",
     # time/chrono problems, have not been a problem in practice
     "RUSTSEC-2020-0159",
     "RUSTSEC-2020-0071",
@@ -28,8 +25,10 @@ deny = []
 skip = [
     # clap uses an older version of ansi_term
     { name = "ansi_term", version = "=0.11.0" },
-    # askalono pulls in an ancient version of zstd that uses an outdated itertools
-    { name = "itertools", version = "=0.9.0" },
+    # cargo-util depends on 2 version one of which is outdated via crypto-hash
+    { name = "hex", version = "=0.3.2" },
+    # cargo depends on im-rc which uses an older version
+    { name = "rand_core", version = "=0.5.1" },
 ]
 
 [sources]

src/sources.rs

@@ -8,6 +8,8 @@ use crate::{
 };
 use url::Url;
 
+const CRATES_IO_URL: &str = "https://github.com/rust-lang/crates.io-index";
+
 pub fn check(ctx: crate::CheckCtx<'_, ValidConfig>, mut sink: ErrorSink) {
     use bitvec::prelude::*;
 
@@ -117,7 +119,7 @@ pub fn check(ctx: crate::CheckCtx<'_, ValidConfig>, mut sink: ErrorSink) {
                 // Show the location of the config that allowed this source, unless
                 // it's crates.io since that will be a vast majority of crates and
                 // is the default, so we might not have a real source location anyways
-                if source_url.as_str() != "https://github.com/rust-lang/crates.io-index" {
+                if source_url.as_str() != CRATES_IO_URL {
                     pack.push(diags::ExplicitlyAllowedSource {
                         src_label: &source_label,
                         type_name,
@@ -179,6 +181,12 @@ pub fn check(ctx: crate::CheckCtx<'_, ValidConfig>, mut sink: ErrorSink) {
         .zip(ctx.cfg.allowed_sources.into_iter())
         .filter_map(|(hit, src)| if !hit { Some(src) } else { None })
     {
+        // If someone in is in a situation that they want to disallow crates
+        // from crates.io, they should set the allowed registries manually
+        if src.url.as_ref().as_str() == CRATES_IO_URL {
+            continue;
+        }
+
         pack.push(diags::UnmatchedAllowSource {
             allow_src_cfg: CfgCoord {
                 span: src.url.span,

src/sources/cfg.rs

@@ -81,10 +81,15 @@ pub struct Config {
 
 #[inline]
 fn default_allow_registry() -> Vec<Spanned<String>> {
-    // This is always valid, so we don't have to worry about the span being fake
+    // This is always valid, so we don't have to worry about the span being fake,
+    // this is actually a lie though because if we try to print this span it will
+    // fail if it falls outside of the range of the config file, and even if it
+    // doesn't will just point to whatever text happens to be there, so we instead
+    // lie and just ignore it instead since a vast majority of usage should
+    // use this source
     vec![Spanned::new(
-        "https://github.com/rust-lang/crates.io-index".to_owned(),
-        0..44,
+        super::CRATES_IO_URL.to_owned(),
+        0..super::CRATES_IO_URL.len(),
     )]
 }