-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify when to use cargo-deny and when to use cargo-audit #386
Comments
/cc @tarcieri |
In the past we’ve talked about phasing out I’m curious why you need to run both and the latter alone doesn’t meet your needs. |
If you only care about advisories, you should just use cargo-audit IMO, since any features related to advisory checking (from the library crate rustsec) will likely appear there before they appear in cargo-deny simply because they are maintained by the same people. If you care about checking licenses, duplicate/banned crates, and crate sources in addition to advisories, then cargo-deny would be more suited since it does all of them. However, you can just run them both in parallel if you like as well, and simply skip advisory checking with cargo-deny by specify which checks you want to run, eg #194 was closed because of the direction that cargo-audit is going in with regards to actually inspecting the final binary artifacts to see if the symbols related to an advisory, eg. "function foobar in crate danger at version 1.0.3 has can cause a segfault", are actually still in the binary, or were stripped out by the linker since they are never actually called, meaning the advisory doesn't trigger since the specific problematic function isn't present. At least at this time, my intention was for cargo-deny checks to be purely based on crate metadata with a few exceptions when it comes to license files, simply so that it always runs in sub second time frames no matter how large the project is (provided cargo has fetched crates already). This may change in the future of course, but it's definitely something I don't plan on any time soon, but could be motivated if there were other checks that could be added to binary artifacts, for example, ensuring that new system dependencies are not accidentally added and the like. |
This is exactly the model I want to implement in my CI/CD, so it seems like I can use cargo-deny and stop using cargo-audit. Thanks! I think it would be useful if this info were included in the documentation. |
In various CI/CD pipelines I am running both cargo-audit and cargo-deny. Recently I had to override a "unmaintained crate" warning and I was surprised to find I had to change both the cargo-deny and cargo-audit configuration. Then, the more I looked into things, the less I felt I understood what cargo-deny does that cargo-audit does, and vice-versa.
Also I want to work on some non-trivial enhancements to one tool or the other tool, but it isn't clear which tool I should add the enhancements to. Right now it looks like I'd need to propose the enhancements to both, and work on both in parallel.
I am subscribed to the now-closed issue #194 which was about, IIUC, merging cargo-audit and cargo-deny into one thing, but then something happened that I don't understand that caused that effort to stall out. It isn't clear to me to what extent the issues are technical vs. organizational.
My understanding from reading #194 is that cargo-audit does advisory checks in a way that reduces the number of advisories that one needs to worry about, relative to what cargo-deny does. Modulo that, is there any reason to use cargo-audit vs. cargo-deny now?
Conversely, if one is interested in the better advisory support in cargo-audit, then how would you recommend one configure cargo-deny so that it doesn't do any checks that are 100% redundant with what cargo-audit does?
The text was updated successfully, but these errors were encountered: