-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Making cargo-deny the official RustSec frontend? #194
Comments
Yes, I think we would be fine with taking on that responsibility as most of the pieces are already there.
I think I want to spend next week doing OS work, so I'll try and land the changes needed to close this issues, at least in terms of being able to be the official frontend. |
`cargo-audit` is likely going to be replaced by `cargo-deny` See this issue: EmbarkStudios/cargo-deny#194
`cargo-audit` is likely going to be replaced by `cargo-deny` See this issue: EmbarkStudios/cargo-deny#194
Ok, structured reporting has been done, will implement the fix subcommand now, then I was thinking could do a post users.rust-lang.org and maybe on Reddit as well for those who are not familar with cargo-deny already. |
Sounds good! If I understand correctly it looks like your JSON format is different from the one Another lingering item I'm curious if you're up for is call graph analysis to determine if a particular advisory impacts a given codebase. I'm happy to do the "heavy lifting" integration work on this in the |
The top level json object for each advisory diagnostic is indeed not the same, but the fully serialized advisory object is available from So call graph analysis would indeed be interesting, but I unfortunately don't think it fits into the scope of cargo-deny, as we currently confine ourselves to the inputs (cargo graph, crates.io index, advisory database etc) without worrying about the actual outputs of the crate/workspace, and just today #243 was opened so that we can run cargo-deny in environments without rust/cargo installed at all. We did open another project which is intended to be the flipside of cargo-deny and actually lint final or intermediate output binaries to detect eg dynamic libraries and such, but we haven't begun implementing in earnest yet as it's been vacation mode for the past month. |
Okay, sounds good. I think it might make sense to keep We already do in places like the https://github.com/rustsec/advisory-db repo but it'd be good to add to https://rustsec.org/ as well. |
`cargo-audit` is likely going to be replaced by `cargo-deny` See this issue: EmbarkStudios/cargo-deny#194
`cargo-audit` is likely going to be replaced by `cargo-deny` See this issue: EmbarkStudios/cargo-deny#194 Remove heuristic license tests cargo-deny replaces these, also inferring licenses from text
`cargo-audit` is likely going to be replaced by `cargo-deny` See this issue: EmbarkStudios/cargo-deny#194 Remove heuristic license tests cargo-deny replaces these, also inferring licenses from text
`cargo-audit` is likely going to be replaced by `cargo-deny` See this issue: EmbarkStudios/cargo-deny#194 Remove heuristic license tests cargo-deny replaces these, also inferring licenses from text
Just updating that I started working on a fix subcommand, but ended up having to fork some crates to add missing features and I wanted it to be able to handle more complex scenarios with multiple crate workspaces. |
I've merged #262 which adds the |
Cool, sounds good! On the We may eventually integrate such analysis into the |
Yes, I think as long as it is an optional feature that users can opt out of both at compile time and run time then that would work just fine. |
Closing this #300 (comment) |
Note that per what I said in #300, I still think this is a possibility, but I think integrating call graph analysis is the prerequisite. |
Hello, I'm the primary maintainer of RustSec.
On a recent Reddit thread someone suggested deprecating
cargo-audit
in favor ofcargo-deny
. The reporting functionality incargo-deny
has definitely eclipsed what's incargo-audit
.If this is something you're interested in, for me it's one fewer project to maintain.
My main concerns now are while from a reporting perspective
cargo-deny
is a superset, there are a few features I'm uncertain ifcargo-deny
supports at present:cargo audit fix
-alike support (automatically update Cargo.toml to correct vulnerabilities)Fortunately the core functionality of both of these features is already in the
rustsec
crate whichcargo-deny
already uses.If this is something you're interested in pursuing, let me know.
The text was updated successfully, but these errors were encountered: