BinCommand duplicates options of AuditCommand in cargo-audit

[aleksanderkrauze]

CLI flags in cargo_audit::commands::audit::AuditCommand are duplicated in cargo_audit::commands::audit::binary_scanning::BinCommand. This means that running help commands will produce:

$ cargo run -q -p cargo-audit -- audit -h

Audit Cargo.lock files for vulnerable crates

Usage: cargo audit [OPTIONS] [COMMAND]

Commands:
  bin   scan compiled binaries
  help  Print this message or the help of the given subcommand(s)

Options:
  -c, --color <COLOR>              color configuration: always, never (default: auto)
  -d, --db <DB>                    advisory database git repo path (default: ~/.cargo/advisory-db)
  -D, --deny <DENY>                exit with an error on: warnings (any), unmaintained, unsound, yanked
  -f, --file <FILE>                Cargo lockfile to inspect (or `-` for STDIN, default: Cargo.lock)
      --ignore <ADVISORY_ID>       Advisory id to ignore (can be specified multiple times)
      --ignore-source              Ignore sources of packages in Cargo.toml, matching advisories regardless of source
  -n, --no-fetch                   do not perform a git fetch on the advisory DB
      --stale                      allow stale database
      --target-arch <TARGET_ARCH>  filter vulnerabilities by CPU (default: no filter)
      --target-os <TARGET_OS>      filter vulnerabilities by OS (default: no filter)
  -u, --url <URL>                  URL for advisory database git repo
  -q, --quiet                      Avoid printing unnecessary information
      --json                       Output report in JSON format
  -h, --help                       Print help
  -V, --version                    Print version

and

$ cargo run -q -p cargo-audit -- audit bin -h

scan compiled binaries

Usage: cargo audit bin [OPTIONS] <BINARY_PATHS>...

Arguments:
  <BINARY_PATHS>...  Paths to the binaries to be scanned

Options:
  -c, --color <COLOR>              color configuration: always, never (default: auto)
  -d, --db <DB>                    advisory database git repo path (default: ~/.cargo/advisory-db)
  -D, --deny <DENY>                exit with an error on: warnings (any), unmaintained, unsound, yanked
      --ignore <ADVISORY_ID>       Advisory id to ignore (can be specified multiple times)
      --ignore-source              Ignore sources of packages in the audit data, matching advisories regardless of source
  -n, --no-fetch                   do not perform a git fetch on the advisory DB
      --stale                      allow stale database
      --target-arch <TARGET_ARCH>  filter vulnerabilities by CPU (default: no filter)
      --target-os <TARGET_OS>      filter vulnerabilities by OS (default: no filter)
  -u, --url <URL>                  URL for advisory database git repo
  -q, --quiet                      Avoid printing unnecessary information
      --json                       Output report in JSON format
  -h, --help                       Print help (see more with '--help')

This in turn allows to run cargo audit bin with duplicated and possibly conflicting config values. For example you can run:

cargo run -q -p cargo-audit -- audit --url https://foo bin --url https://bar /path/to/binary

I think this is some mistake and should be fixed by removing duplicated options from BinCommand. This will be of course a breaking change, but this seams like a right thing to do. And I doubt this will break many people, due to how odd it would be for someone to rely on this.

I am currently implementing #1160 and can to this together, if my proposition is accepted.

[Shnatsel]

Yes, that is a surprising edge case. It is not supposed to work this way. I would appreciate a fix. Thank you!

[aleksanderkrauze]

Thanks for confirmation. I'll add this to my TODO list then. 😄