Update Action name and description

Setting denyWarnings will pass that flag to cargo audit.

Closes #3

CHANGELOG.md

@@ -7,9 +7,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.1.0] - 2022-08-14
+
+### Added
+
+* Present aliases for the RustSec ID and related advisories in the overview table (#1).
+
+### Changed
+
+* Setting `denyWarnings` will now pass `--deny warnings` to cargo audit.
+
 ## [1.0.1] - 2022-08-09
 
-Create proper release tags.
+### Added
+
+* Create proper release tags.
 
 ## [1.0.0] - 2022-08-09
 

README.md

@@ -38,6 +38,9 @@ jobs:
 
 All inputs are optional.
 Consider adding a [`audit.toml` configuration file] to your repository for further configurations.
+cargo audit supports multiple warning types, such as unsound code or yanked crates.
+Configuration is only possible via the `informational_warnings` parameter in the configuration file ([#318](https://github.com/rustsec/rustsec/issues/318)).
+Setting `denyWarnings` to true will also enable these warnings, but each warning is upgraded to an error.
 
 | Name           | Description                                                                                      | Default                                                                  |
 | -------------- | ------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------ |

action.yml

@@ -1,6 +1,6 @@
-name: Audit Rust Dependencies
+name: cargo audit your Rust Dependencies
 description: |
-  Audit Rust dependencies for vulnerabilities or outdated dependencies.
+  Audit Rust dependencies with cargo audit and the RustSec Advisory DB
 branding:
   icon: "shield"
   color: "red"

audit.py

@@ -62,26 +62,74 @@ class Entry:
     def _entry_table(self) -> str:
         advisory = self.entry["advisory"]
 
-        if self.warning_type is None:
-            warning = ""
-        else:
-            warning = f"\n| Warning            | {self.warning_type} |"
-        unaffected = " OR ".join(self.entry["versions"]["unaffected"])
-        if unaffected != "":
-            unaffected = f"\n| Unaffected Versions | `{unaffected}` |"
-        patched = " OR ".join(self.entry["versions"]["patched"])
-        if patched == "":
-            patched = "n/a"
-        else:
-            patched = f"`{patched}`"
-        table = f"""| Details            |                                      |
-| ---                | ---                                  |
-| Package            | `{advisory['package']}`              |
-| Version            | `{self.entry['package']['version']}` |{warning}
-| URL                | <{advisory['url']}>                  |
-| Patched Versions   | {patched}                            |{unaffected}
-"""
-        return table
+        table = []
+        table.append(("Details", ""))
+        table.append(("---", "---"))
+        table.append(("Package", f"`{advisory['package']}`"))
+        table.append(("Version", f"`{self.entry['package']['version']}`"))
+        if self.warning_type is not None:
+            table.append(("Warning", str(self.warning_type)))
+        table.append(("URL", advisory["url"]))
+        table.append(
+            (
+                "Patched Versions",
+                " OR ".join(self.entry["versions"]["patched"])
+                if len(self.entry["versions"]["patched"]) > 0
+                else "n/a",
+            )
+        )
+        if len(self.entry["versions"]["unaffected"]) > 0:
+            table.append(
+                (
+                    "Unaffected Versions",
+                    " OR ".join(self.entry["versions"]["unaffected"]),
+                )
+            )
+        if len(advisory["aliases"]) > 0:
+            table.append(
+                (
+                    "Aliases",
+                    ", ".join(
+                        Entry._md_autolink_advisory_id(advisory_id)
+                        for advisory_id in advisory["aliases"]
+                    ),
+                )
+            )
+        if len(advisory["related"]) > 0:
+            table.append(
+                (
+                    "Related Advisories",
+                    ", ".join(
+                        Entry._md_autolink_advisory_id(advisory_id)
+                        for advisory_id in advisory["related"]
+                    ),
+                )
+            )
+
+        table_parts = []
+        for row in table:
+            table_parts.append("| ")
+            table_parts.append(row[0])
+            table_parts.append(" | ")
+            table_parts.append(row[1])
+            table_parts.append(" |\n")
+
+        return "".join(table_parts)
+
+    @classmethod
+    def _md_autolink_advisory_id(cls, advisory_id: str) -> str:
+        """
+        If a supported advisory format, such as GHSA- is detected, return a markdown link.
+        Otherwise return the ID as text.
+        """
+
+        if advisory_id.startswith("GHSA-"):
+            return f"[{advisory_id}](https://github.com/advisories/{advisory_id})"
+        if advisory_id.startswith("CVE-"):
+            return f"[{advisory_id}](https://nvd.nist.gov/vuln/detail/{advisory_id})"
+        if advisory_id.startswith("RUSTSEC-"):
+            return f"[{advisory_id}](https://rustsec.org/advisories/{advisory_id})"
+        return advisory_id
 
     def format_as_markdown(self) -> str:
         advisory = self.entry["advisory"]
@@ -261,8 +309,13 @@ def run() -> None:
             ignore_args.append("--ignore")
             ignore_args.append(ign)
 
+    extra_args = []
+    if os.environ["INPUT_DENY_WARNINGS"] == "true":
+        extra_args.append("--deny")
+        extra_args.append("warnings")
+
     completed = subprocess.run(
-        ["cargo", "audit", "--json"] + ignore_args,
+        ["cargo", "audit", "--json"] + extra_args + ignore_args,
         capture_output=True,
         text=True,
         check=False,