diff --git a/Cargo.lock b/Cargo.lock index 7f962d4d..a1c6dfdf 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -275,7 +275,7 @@ checksum = "e6e9e01327e6c86e92ec72b1c798d4a94810f147209bbe3ffab6a86954937a6f" [[package]] name = "cargo-audit" -version = "0.17.2" +version = "0.17.3" dependencies = [ "abscissa_core", "auditable-info", @@ -1757,7 +1757,7 @@ dependencies = [ [[package]] name = "rustsec" -version = "0.26.2" +version = "0.26.3" dependencies = [ "cargo-edit", "cargo-lock 8.0.2 (registry+https://github.com/rust-lang/crates.io-index)", diff --git a/cargo-audit/CHANGELOG.md b/cargo-audit/CHANGELOG.md index 82e7154d..06e03055 100644 --- a/cargo-audit/CHANGELOG.md +++ b/cargo-audit/CHANGELOG.md @@ -4,6 +4,23 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## 0.17.3 (UNRELEASED) +### Added + + - `cargo audit bin` now attempts to detect dependencies in binaries not built with [`cargo auditable`](https://github.com/rust-secure-code/cargo-auditable) by parsing the panic messages ([#729]). This only detects about a half of the dependency list and never detects C code such as OpenSSL, but works on any Rust binaries built with `cargo`. + - Added integration tests for the `--deny=warnings` flag. + +### Fixed + + - `cargo audit bin --deny=warnings` no longer exits after finding the first binary with warnings. + +### Changed + + - Up to 5x faster `cargo audit bin` when scanning multiple files thanks to caching crates.io index lookups (implemented in `rustsec` crate). + - Notices about `cargo audit` or `rustsec` will now result in a scanning error being reported (exit code 2) as opposed to reporting them as vulnerabilities in the scanned binary (exit code 1). They are treated as warnings by default, so `--deny=warnings` is required to observe the new behavior. + +[#729]: https://github.com/rustsec/rustsec/pull/729 + ## 0.17.2 (2022-10-07) ### Changed diff --git a/cargo-audit/Cargo.toml b/cargo-audit/Cargo.toml index fba68b75..87decc5d 100644 --- a/cargo-audit/Cargo.toml +++ b/cargo-audit/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "cargo-audit" description = "Audit Cargo.lock for crates with security vulnerabilities" -version = "0.17.2" +version = "0.17.3" authors = ["Tony Arcieri "] license = "Apache-2.0 OR MIT" homepage = "https://rustsec.org" @@ -20,7 +20,7 @@ maintenance = { status = "actively-developed" } abscissa_core = "0.6" clap = "3" home = "0.5" -rustsec = { version = "0.26", features = ["dependency-tree"], path = "../rustsec" } +rustsec = { version = "0.26.3", features = ["dependency-tree"], path = "../rustsec" } serde = { version = "1", features = ["serde_derive"] } serde_json = "1" thiserror = "1" diff --git a/cargo-audit/src/auditor.rs b/cargo-audit/src/auditor.rs index 4757af21..90ad37e5 100644 --- a/cargo-audit/src/auditor.rs +++ b/cargo-audit/src/auditor.rs @@ -175,7 +175,7 @@ impl Auditor { .presenter .should_exit_with_failure_due_to_self(&self.self_advisories()) { - summary.vulnerabilities_found = true; + summary.errors_encountered = true; } summary } diff --git a/rustsec/CHANGELOG.md b/rustsec/CHANGELOG.md index 174fc220..bbadf5ac 100644 --- a/rustsec/CHANGELOG.md +++ b/rustsec/CHANGELOG.md @@ -4,9 +4,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## Unreleased +## 0.26.3 (Unreleased) ### Added -- `registry::CachedIndex` which allows efficiently scanning multiple `Cargo.lock` files or binaries. +- `registry::CachedIndex` which is orders of magnitude faster than `registry::Index` when scanning multiple `Cargo.lock` files or binaries ([#730]) + +[#730]: https://github.com/rustsec/rustsec/pull/730 ## 0.26.2 (2022-08-15) ### Fixed diff --git a/rustsec/Cargo.toml b/rustsec/Cargo.toml index ea28f9ad..f63bc6b9 100644 --- a/rustsec/Cargo.toml +++ b/rustsec/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "rustsec" description = "Client library for the RustSec security advisory database" -version = "0.26.2" # Also update html_root_url in lib.rs when bumping this +version = "0.26.3" authors = ["Tony Arcieri "] license = "Apache-2.0 OR MIT" homepage = "https://rustsec.org"