Rust support #121
Rust support #121
Conversation
| mitigation: `Update "${adv.package}" crate to one of the following versions: ${patchedVersionsText}` | ||
| } | ||
| }) | ||
| .reduce((results, v) => results.critical(v), new ModuleResults(key)) |
There was a problem hiding this comment.
cargo audit report does not contain any information about severity.
I used critical as IMO it makes sense as a default value in this context.
Any opinions?
There was a problem hiding this comment.
Maybe high might be enough, but that’s just semantics. If one wants to ignore it, they can do so via .hawkeyerc. Let’s wait for the corresponding ticket to be resolved and then revisit this point: rustsec/advisory-db#20
| if (!fs.existsSync(path.join(fm.target, 'Cargo.lock'))) { | ||
| await exec.command('cargo generate-lockfile', { cwd: fm.target }) | ||
| lockFileWasGeneratedByTheModule = true | ||
| } |
There was a problem hiding this comment.
If the package is library then Cargo.lock should not be present and cargo audit will fail.
IMO it makes sense to generate lock file and remove it after processing to make it useful for library owners as well.
Opinions?
There was a problem hiding this comment.
I am divided on this: On the one hand, we should avoid “polluting” the target folder, on the other hand this is really useful. This might lead to some UID and GID issues when running a CI, but this can be easily mitigated with the proper docker run command. Unfortunately cargo generate-lockfile gives us no option as to where the lockfile should be created, otherwise I’d have put it into a temporary folder.
I’d say we go this route until someone complains :)
There was a problem hiding this comment.
There won't be any pollution because we delete it later, but there might be an issue with access to create lock file.
I’d say we go this route until someone complains :)
Totally agree 😄
Dockerfile
Outdated
| @@ -71,6 +71,11 @@ RUN cd /usr/local/bin && \ | |||
| wget --quiet https://get.sensiolabs.org/security-checker.phar && \ | |||
| chmod +x security-checker.phar | |||
|
|
|||
| RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y | |||
| ENV PATH=/root/.cargo/bin:$PATH | |||
There was a problem hiding this comment.
The /root part confuses me, but apparently $HOME is not accessible in Dockerfile. Couldn't find a way around it
There was a problem hiding this comment.
what about /usr/local/opt/?
Dockerfile
Outdated
| @@ -71,6 +71,11 @@ RUN cd /usr/local/bin && \ | |||
| wget --quiet https://get.sensiolabs.org/security-checker.phar && \ | |||
| chmod +x security-checker.phar | |||
|
|
|||
| RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y | |||
| ENV PATH=/root/.cargo/bin:$PATH | |||
There was a problem hiding this comment.
what about /usr/local/opt/?
|
@felixhammerl Done |
Description
Add new module that wraps cargo audit for checking dependency versions in Cargo.lock against known vulnerabilities.
Fixes #100
Type of change
Toolchain
How Has This Been Tested?
/lib/modules/rust-cargoaudit/__tests__/cargoaudit-unit.jsTest Configuration:
/lib/modules/rust-cargoaudit/__tests__/sample/defaultand/lib/modules/rust-cargoaudit/__tests__/sample/no-lock-fileChecklist: