From 38d4f17f67ff21689d39f47892efe2150a03dfad Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Sun, 30 Oct 2022 23:55:28 +0100 Subject: [PATCH 1/8] Treat vulnerabilities in self as a scanning error and not a vulnerability in the scanned binary (exit code 1 instead of 2) --- cargo-audit/src/auditor.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cargo-audit/src/auditor.rs b/cargo-audit/src/auditor.rs index 4757af21..90ad37e5 100644 --- a/cargo-audit/src/auditor.rs +++ b/cargo-audit/src/auditor.rs @@ -175,7 +175,7 @@ impl Auditor { .presenter .should_exit_with_failure_due_to_self(&self.self_advisories()) { - summary.vulnerabilities_found = true; + summary.errors_encountered = true; } summary } From ddd1fec0b5b68bbff48f607f8325054da941b6cd Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Mon, 31 Oct 2022 00:17:54 +0100 Subject: [PATCH 2/8] Fill in CHANGELOG.md for the upcoming release --- cargo-audit/CHANGELOG.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/cargo-audit/CHANGELOG.md b/cargo-audit/CHANGELOG.md index 82e7154d..eda9a26f 100644 --- a/cargo-audit/CHANGELOG.md +++ b/cargo-audit/CHANGELOG.md @@ -4,6 +4,23 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## 0.17.3 (UNRELEASED) +### Added + + - `cargo audit bin` now attempts to detect dependencies in binaries not built with [`cargo auditable`](https://github.com/rust-secure-code/cargo-auditable) by parsing the panic messages ([#729]). This only detects about a half of the dependency list and never detects C code such as OpenSSL, but works on any Rust binaries built with `cargo`. + - Added integration tests for the `--deny=warnings` flag. + +### Fixed + + - `cargo audit bin --deny=warnings` no longer exits after finding the first binary with warnings. + +### Changed + + - Up to 5x faster `cargo audit bin` when scanning multiple files thanks to caching crates.io index lookups (implemented in `rustsec` crate). + - Notices about `cargo audit` or `rustsec` crate are treated as warnings by default. With `--deny=warnings` they will result in a scanning error being reported (exit code 2) as opposed to reporting them as vulnerabilities in the scanned binary (exit code 1). + +[#729]: https://github.com/rustsec/rustsec/pull/729 + ## 0.17.2 (2022-10-07) ### Changed From 337f32e98b3995646d55e91419dddd887a77cd90 Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Mon, 31 Oct 2022 00:23:21 +0100 Subject: [PATCH 3/8] Drop obsolete comment - html_root_url no longer exists --- rustsec/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rustsec/Cargo.toml b/rustsec/Cargo.toml index ea28f9ad..b5500d33 100644 --- a/rustsec/Cargo.toml +++ b/rustsec/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "rustsec" description = "Client library for the RustSec security advisory database" -version = "0.26.2" # Also update html_root_url in lib.rs when bumping this +version = "0.26.2" authors = ["Tony Arcieri "] license = "Apache-2.0 OR MIT" homepage = "https://rustsec.org" From 2fdeb3ef73afcf35c5eb006f052ab726ff97e4ac Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Mon, 31 Oct 2022 00:27:55 +0100 Subject: [PATCH 4/8] More complete changelog for rustsec crate --- rustsec/CHANGELOG.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rustsec/CHANGELOG.md b/rustsec/CHANGELOG.md index 174fc220..bbadf5ac 100644 --- a/rustsec/CHANGELOG.md +++ b/rustsec/CHANGELOG.md @@ -4,9 +4,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## Unreleased +## 0.26.3 (Unreleased) ### Added -- `registry::CachedIndex` which allows efficiently scanning multiple `Cargo.lock` files or binaries. +- `registry::CachedIndex` which is orders of magnitude faster than `registry::Index` when scanning multiple `Cargo.lock` files or binaries ([#730]) + +[#730]: https://github.com/rustsec/rustsec/pull/730 ## 0.26.2 (2022-08-15) ### Fixed From 35ecdb7194b79a2f70eaeaac2e500a4a8fbffb90 Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Mon, 31 Oct 2022 00:28:21 +0100 Subject: [PATCH 5/8] bump rustsec to 0.26.3 --- Cargo.lock | 2 +- rustsec/Cargo.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 7f962d4d..6218b6c2 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1757,7 +1757,7 @@ dependencies = [ [[package]] name = "rustsec" -version = "0.26.2" +version = "0.26.3" dependencies = [ "cargo-edit", "cargo-lock 8.0.2 (registry+https://github.com/rust-lang/crates.io-index)", diff --git a/rustsec/Cargo.toml b/rustsec/Cargo.toml index b5500d33..f63bc6b9 100644 --- a/rustsec/Cargo.toml +++ b/rustsec/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "rustsec" description = "Client library for the RustSec security advisory database" -version = "0.26.2" +version = "0.26.3" authors = ["Tony Arcieri "] license = "Apache-2.0 OR MIT" homepage = "https://rustsec.org" From 807c5b9e770d059e03993fbb2e8bfa6e14506189 Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Mon, 31 Oct 2022 00:28:47 +0100 Subject: [PATCH 6/8] bump cargo-audit to 0.17.3 --- Cargo.lock | 2 +- cargo-audit/Cargo.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 6218b6c2..a1c6dfdf 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -275,7 +275,7 @@ checksum = "e6e9e01327e6c86e92ec72b1c798d4a94810f147209bbe3ffab6a86954937a6f" [[package]] name = "cargo-audit" -version = "0.17.2" +version = "0.17.3" dependencies = [ "abscissa_core", "auditable-info", diff --git a/cargo-audit/Cargo.toml b/cargo-audit/Cargo.toml index fba68b75..d0f9e3a9 100644 --- a/cargo-audit/Cargo.toml +++ b/cargo-audit/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "cargo-audit" description = "Audit Cargo.lock for crates with security vulnerabilities" -version = "0.17.2" +version = "0.17.3" authors = ["Tony Arcieri "] license = "Apache-2.0 OR MIT" homepage = "https://rustsec.org" From 8b7abdf9f382346183aa989669a14770088806ea Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Mon, 31 Oct 2022 00:29:37 +0100 Subject: [PATCH 7/8] Depend on rustsec 0.26.3 which added the CachedIndex used in `cargo audit bin` --- cargo-audit/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cargo-audit/Cargo.toml b/cargo-audit/Cargo.toml index d0f9e3a9..87decc5d 100644 --- a/cargo-audit/Cargo.toml +++ b/cargo-audit/Cargo.toml @@ -20,7 +20,7 @@ maintenance = { status = "actively-developed" } abscissa_core = "0.6" clap = "3" home = "0.5" -rustsec = { version = "0.26", features = ["dependency-tree"], path = "../rustsec" } +rustsec = { version = "0.26.3", features = ["dependency-tree"], path = "../rustsec" } serde = { version = "1", features = ["serde_derive"] } serde_json = "1" thiserror = "1" From b49542eb08f80f776ee72ac1957cb748e3e94bb6 Mon Sep 17 00:00:00 2001 From: "Sergey \"Shnatsel\" Davidoff" Date: Mon, 31 Oct 2022 00:42:14 +0100 Subject: [PATCH 8/8] Clarify changelog --- cargo-audit/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cargo-audit/CHANGELOG.md b/cargo-audit/CHANGELOG.md index eda9a26f..06e03055 100644 --- a/cargo-audit/CHANGELOG.md +++ b/cargo-audit/CHANGELOG.md @@ -17,7 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed - Up to 5x faster `cargo audit bin` when scanning multiple files thanks to caching crates.io index lookups (implemented in `rustsec` crate). - - Notices about `cargo audit` or `rustsec` crate are treated as warnings by default. With `--deny=warnings` they will result in a scanning error being reported (exit code 2) as opposed to reporting them as vulnerabilities in the scanned binary (exit code 1). + - Notices about `cargo audit` or `rustsec` will now result in a scanning error being reported (exit code 2) as opposed to reporting them as vulnerabilities in the scanned binary (exit code 1). They are treated as warnings by default, so `--deny=warnings` is required to observe the new behavior. [#729]: https://github.com/rustsec/rustsec/pull/729