Update cargo-audit to 0.20.0

[pre-commit.ci] pre-commit autoupdate

.github/workflows/autotag-releases.yml

@@ -15,11 +15,11 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Get version from tag
         id: tag_name
         run: |
-          echo ::set-output name=current_version::${GITHUB_REF#refs/tags/}
+          echo "current_version=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
         shell: bash
       - name: Create and push tags
         run: |

.pre-commit-config.yaml

@@ -1,10 +1,10 @@
 repos:
   - repo: https://github.com/psf/black
-    rev: 22.6.0
+    rev: 24.1.1
     hooks:
       - id: black
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.3.0
+    rev: v4.5.0
     hooks:
       - id: check-ast
       - id: check-case-conflict
@@ -14,19 +14,25 @@ repos:
       - id: end-of-file-fixer
       - id: trailing-whitespace
   - repo: https://github.com/PyCQA/isort
-    rev: 5.10.1
+    rev: 5.13.2
     # https://github.com/psf/black/blob/main/docs/guides/using_black_with_other_tools.md
     hooks:
       - id: isort
         args: ["--profile=black"]
   - repo: https://github.com/asottile/pyupgrade
-    rev: v2.37.3
+    rev: v3.15.0
     hooks:
       - id: pyupgrade
         args: ["--py37-plus"]
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v0.971
+    rev: v1.8.0
     hooks:
       - id: mypy
         additional_dependencies:
           - types-requests
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 0.28.0
+    hooks:
+      - id: check-dependabot
+      - id: check-github-actions
+      - id: check-github-workflows

CHANGELOG.md

@@ -7,9 +7,90 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.1.14] - 2024-02-18
+
+* Update `cargo-audit` to 0.20.0
+
+## [1.1.13] - 2024-02-03
+
+* Update `cargo-audit` to 0.19.0
+
+## [1.1.12] - 2024-01-20
+
+* Fix default of `file` argument to make it work again for repositories without `Cargo.lock` checked in.
+
+## [1.1.11] - 2024-01-18
+
+* Allow specifying the path to the `Cargo.lock` file, in case it is not in the root of the repository (#55)
+* Update the example in the readme, to have the correct permissions for private repositories.
+
+## [1.1.10] - 2023-11-02
+
+* Fix running the action, by using the correct version of the cache action.
+
+## [1.1.9] - 2023-11-01
+
+* Update `cargo-audit` to 0.18.3
+
+## [1.1.8] - 2023-08-23
+
+* Handle missing data in advisories better to prevent crashing (#40)
+
+## [1.1.7] - 2023-05-12
+
+* Update `cargo-audit` to 0.17.6
+
+## [1.1.6] - 2023-03-24
+
+* Update `cargo-audit` to 0.17.5
+
+## [1.1.5] - 2022-12-22
+
+* Fix duplicate issues for yanked crates.
+
+    The previous version introduced a bug where existing issues were not properly detected.
+    This only affected issues for yanked crates.
+    Now duplicate issues will no longer be created.
+
+## [1.1.4] - 2022-12-22
+
+* Handle warnings without any associated advisory.
+
+    This occurs for yanked crates, where the `advisory` field is `null` in the JSON output.
+    Now a message is shown that the crate and version is yanked.
+
+## [1.1.3] - 2022-12-05
+
+* Fix the path to the cargo installation directory to fix caching.
+
+## [1.1.2] - 2022-11-09
+
+### Changed
+
+* Update `cargo-audit` to 0.17.4 which fixes checking for yanked crates.
+
+## [1.1.1] - 2022-10-13
+
+### Changed
+
+* Switch from set-output to $GITHUB_OUTPUT to avoid warning
+    https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
+
+## [1.1.0] - 2022-08-14
+
+### Added
+
+* Present aliases for the RustSec ID and related advisories in the overview table (#1).
+
+### Changed
+
+* Setting `denyWarnings` will now pass `--deny warnings` to cargo audit.
+
 ## [1.0.1] - 2022-08-09
 
-Create proper release tags.
+### Added
+
+* Create proper release tags.
 
 ## [1.0.0] - 2022-08-09
 

README.md

@@ -13,20 +13,27 @@ name: "Audit Dependencies"
 on:
   push:
     paths:
+      # Run if workflow changes
+      - '.github/workflows/audit.yml'
+      # Run on changed dependencies
       - '**/Cargo.toml'
       - '**/Cargo.lock'
+      # Run if the configuration file changes
+      - '**/audit.toml'
+  # Rerun periodicly to pick up new advisories
   schedule:
     - cron: '0 0 * * *'
-
-permissions: read-all
+  # Run manually
+  workflow_dispatch:
 
 jobs:
   audit:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       issues: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions-rust-lang/audit@v1
         name: Audit Rust Dependencies
         with:
@@ -38,11 +45,15 @@ jobs:
 
 All inputs are optional.
 Consider adding a [`audit.toml` configuration file] to your repository for further configurations.
+cargo audit supports multiple warning types, such as unsound code or yanked crates.
+Configuration is only possible via the `informational_warnings` parameter in the configuration file ([#318](https://github.com/rustsec/rustsec/issues/318)).
+Setting `denyWarnings` to true will also enable these warnings, but each warning is upgraded to an error.
 
 | Name           | Description                                                                                      | Default                                                                  |
 | -------------- | ------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------ |
 | `TOKEN`        | The GitHub access token to allow us to retrieve, create and update issues (automatically set).   | `github.token`                                                           |
 | `denyWarnings` | Any warnings generated will be treated as an error and fail the action.                          | false                                                                    |
+| `file`         | The path to the Cargo.lock file.                                                                 |                                                                          |
 | `ignore`       | A comma separated list of Rustsec IDs to ignore.                                                 |                                                                          |
 | `createIssues` | Create/Update issues for each found vulnerability. By default only on `main` or `master` branch. | `github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/main'` |
 

action.yml

@@ -1,6 +1,6 @@
-name: Audit Rust Dependencies
+name: cargo audit your Rust Dependencies
 description: |
-  Audit Rust dependencies for vulnerabilities or outdated dependencies.
+  Audit Rust dependencies with cargo audit and the RustSec Advisory DB
 branding:
   icon: "shield"
   color: "red"
@@ -14,6 +14,10 @@ inputs:
     description: "Any warnings generated will be treated as an error and fail the action"
     required: false
     default: "false"
+  file:
+    description: "Cargo lockfile to inspect"
+    required: false
+    default: ""
   ignore:
     description: "A comma separated list of Rustsec IDs to ignore"
     required: false
@@ -26,19 +30,23 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: actions/cache@v3
+    - name: Identify cargo installation directory
+      run: echo "cargohome=${CARGO_HOME:-$HOME/.cargo}" >> $GITHUB_OUTPUT
+      shell: bash
+      id: cargo-home
+    - uses: actions/cache@v4
       id: cache
       with:
         path: |
-          ${{ env.CARGO_HOME }}/.cargo/bin/cargo-audit*
-          ${{ env.CARGO_HOME }}/.cargo/.crates.toml
-          ${{ env.CARGO_HOME }}/.cargo/.crates2.json
-        key: cargo-audit-v0.17.0
+          ${{ steps.cargo-home.outputs.cargohome }}/bin/cargo-audit*
+          ${{ steps.cargo-home.outputs.cargohome }}/.crates.toml
+          ${{ steps.cargo-home.outputs.cargohome }}/.crates2.json
+        key: cargo-audit-v0.20.0
 
     - name: Install cargo-audit
       if: steps.cache.outputs.cache-hit != 'true'
       # Update both this version number and the cache key
-      run: cargo install cargo-audit --vers 0.17.0
+      run: cargo install cargo-audit --vers 0.20.0 --no-default-features
       shell: bash
 
     - run: |
@@ -48,6 +56,7 @@ runs:
       env:
         INPUT_CREATE_ISSUES: ${{ inputs.createIssues }}
         INPUT_DENY_WARNINGS: ${{ inputs.denyWarnings }}
+        INPUT_FILE: ${{ inputs.file }}
         INPUT_IGNORE: ${{ inputs.ignore }}
         INPUT_TOKEN: ${{ inputs.TOKEN }}
         PYTHONPATH: ${{ github.action_path }}

audit.py

@@ -11,6 +11,15 @@ import requests
 # https://github.com/alstr/todo-to-issue-action/blob/25c80e9c4999d107bec208af49974d329da26370/main.py
 # Originally licensed under MIT license
 
+# Timeout in seconds for requests methods
+TIMEOUT = 30
+
+
+def debug(message: str) -> None:
+    """Print a debug message to the GitHub Action log"""
+    newline = "\n"
+    print(f"""::debug::{message.replace(newline, " ")}""")
+
 
 class Issue:
     """Basic Issue model for collecting the necessary info to send to GitHub."""
@@ -21,7 +30,7 @@ class Issue:
         labels: List[str],
         assignees: List[str],
         body: str,
-        rustsec_id: str,
+        rustsec_id: str,  # Should be the start of the title
     ) -> None:
         self.title = title
         self.labels = labels
@@ -59,58 +68,166 @@ class Entry:
         self.entry_type = entry_type
         self.warning_type = warning_type
 
-    def _entry_table(self) -> str:
-        advisory = self.entry["advisory"]
+    def id(self) -> str:
+        """
+        Return the ID of the entry.
+        """
 
-        if self.warning_type is None:
-            warning = ""
+        # IMPORTANT: Coordinate this value with the `_get_existing_issues` method below.
+        # Any value returned here must also be present in the filtering there, since the id will be used in the issue title.
+
+        advisory = self.entry.get("advisory", None)
+        if advisory:
+            return advisory["id"]
         else:
-            warning = f"\n| Warning            | {self.warning_type} |"
-        unaffected = " OR ".join(self.entry["versions"]["unaffected"])
-        if unaffected != "":
-            unaffected = f"\n| Unaffected Versions | `{unaffected}` |"
-        patched = " OR ".join(self.entry["versions"]["patched"])
-        if patched == "":
-            patched = "n/a"
+            return f"Crate {self.entry['package']['name']} {self.entry['package']['version']}"
+
+    def _entry_table(self) -> str:
+        advisory = self.entry.get("advisory", None)
+
+        if advisory:
+            table = []
+            table.append(("Details", ""))
+            table.append(("---", "---"))
+            table.append(("Package", f"`{advisory['package']}`"))
+            table.append(("Version", f"`{self.entry['package']['version']}`"))
+            if self.warning_type is not None:
+                table.append(("Warning", str(self.warning_type)))
+            table.append(("URL", advisory["url"]))
+            table.append(
+                (
+                    "Patched Versions",
+                    (
+                        " OR ".join(self.entry["versions"]["patched"])
+                        if len(self.entry["versions"]["patched"]) > 0
+                        else "n/a"
+                    ),
+                )
+            )
+            if len(self.entry["versions"]["unaffected"]) > 0:
+                table.append(
+                    (
+                        "Unaffected Versions",
+                        " OR ".join(self.entry["versions"]["unaffected"]),
+                    )
+                )
+            if len(advisory["aliases"]) > 0:
+                table.append(
+                    (
+                        "Aliases",
+                        ", ".join(
+                            Entry._md_autolink_advisory_id(advisory_id)
+                            for advisory_id in advisory["aliases"]
+                        ),
+                    )
+                )
+            if len(advisory["related"]) > 0:
+                table.append(
+                    (
+                        "Related Advisories",
+                        ", ".join(
+                            Entry._md_autolink_advisory_id(advisory_id)
+                            for advisory_id in advisory["related"]
+                        ),
+                    )
+                )
+
+            table_parts = []
+            for row in table:
+                table_parts.append("| ")
+                if row[0] is not None:
+                    table_parts.append(row[0])
+                table_parts.append(" | ")
+                if row[1] is not None:
+                    table_parts.append(row[1])
+                else:
+                    table_parts.append("n/a")
+                table_parts.append(" |\n")
+
+            return "".join(table_parts)
         else:
-            patched = f"`{patched}`"
-        table = f"""| Details            |                                      |
-| ---                | ---                                  |
-| Package            | `{advisory['package']}`              |
-| Version            | `{self.entry['package']['version']}` |{warning}
-| URL                | <{advisory['url']}>                  |
-| Patched Versions   | {patched}                            |{unaffected}
+            # There is no advisory.
+            # This occurs when a yanked version is detected.
+
+            name = self.entry["package"]["name"]
+            return f"""{self.id()} is yanked.
+Switch to a different version of `{name}` to resolve this issue.
 """
-        return table
+
+    @classmethod
+    def _md_autolink_advisory_id(cls, advisory_id: str) -> str:
+        """
+        If a supported advisory format, such as GHSA- is detected, return a markdown link.
+        Otherwise return the ID as text.
+        """
+
+        if advisory_id.startswith("GHSA-"):
+            return f"[{advisory_id}](https://github.com/advisories/{advisory_id})"
+        if advisory_id.startswith("CVE-"):
+            return f"[{advisory_id}](https://nvd.nist.gov/vuln/detail/{advisory_id})"
+        if advisory_id.startswith("RUSTSEC-"):
+            return f"[{advisory_id}](https://rustsec.org/advisories/{advisory_id})"
+        return advisory_id
 
     def format_as_markdown(self) -> str:
-        advisory = self.entry["advisory"]
+        advisory = self.entry.get("advisory", None)
 
-        entry_table = self._entry_table()
-        md = f"""## {self.entry_type.icon()} {advisory['id']}: {advisory['title']}
+        if advisory:
+            entry_table = self._entry_table()
+            # Replace the @ with a ZWJ to avoid triggering markdown autolinks
+            # Otherwise GitHub will interpret the @ as a mention
+            description = advisory["description"].replace("@", "@\u200d")
+
+            md = f"""## {self.entry_type.icon()} {advisory['id']}: {advisory['title']}
 
 {entry_table}
 
-{advisory['description']}
+{description}
+"""
+            return md
+        else:
+            # There is no advisory.
+            # This occurs when a yanked version is detected.
+
+            name = self.entry["package"]["name"]
+            return f"""## {self.entry_type.icon()} {self.id()} is yanked.
+
+Switch to a different version of `{name}` to resolve this issue.
 """
-        return md
 
     def format_as_issue(self, labels: List[str], assignees: List[str]) -> Issue:
-        advisory = self.entry["advisory"]
+        advisory = self.entry.get("advisory", None)
 
-        entry_table = self._entry_table()
+        if advisory:
+            entry_table = self._entry_table()
 
-        title = f"{advisory['id']}: {advisory['title']}"
-        body = f"""{entry_table}
+            title = f"{self.id()}: {advisory['title']}"
+            body = f"""{entry_table}
 
 {advisory['description']}"""
-        return Issue(
-            title=title,
-            labels=labels,
-            assignees=assignees,
-            body=body,
-            rustsec_id=advisory["id"],
-        )
+            return Issue(
+                title=title,
+                labels=labels,
+                assignees=assignees,
+                body=body,
+                rustsec_id=self.id(),
+            )
+        else:
+            # There is no advisory.
+            # This occurs when a yanked version is detected.
+
+            name = self.entry["package"]["name"]
+            title = f"{self.id()} is yanked"
+            body = (
+                f"""Switch to a different version of `{name}` to resolve this issue."""
+            )
+            return Issue(
+                title=title,
+                labels=labels,
+                assignees=assignees,
+                body=body,
+                rustsec_id=self.id(),
+            )
 
 
 class GitHubClient:
@@ -131,6 +248,10 @@ class GitHubClient:
         # Retrieve the existing repo issues now so we can easily check them later.
         self._get_existing_issues()
 
+        debug("Existing issues:")
+        for issue in self.existing_issues:
+            debug(f"* {issue['title']}")
+
     def _get_existing_issues(self, page: int = 1) -> None:
         """Populate the existing issues list."""
         params: Dict[str, Union[str, int]] = {
@@ -138,16 +259,17 @@ class GitHubClient:
             "page": page,
             "state": "open",
         }
+        debug(f"Fetching existing issues from GitHub: {page=}")
         list_issues_request = requests.get(
-            self.issues_url, headers=self.issue_headers, params=params
+            self.issues_url, headers=self.issue_headers, params=params, timeout=TIMEOUT
         )
-        print(f"DBG: {list_issues_request.status_code=}")
         if list_issues_request.status_code == 200:
             self.existing_issues.extend(
                 [
                     issue
                     for issue in list_issues_request.json()
                     if issue["title"].startswith("RUSTSEC-")
+                    or issue["title"].startswith("Crate ")
                 ]
             )
             links = list_issues_request.links
@@ -157,6 +279,7 @@ class GitHubClient:
     def create_issue(self, issue: Issue) -> Optional[int]:
         """Create a dict containing the issue details and send it to GitHub."""
         title = issue.title
+        debug(f"Creating issue: {title=}")
 
         # Check if the current issue already exists - if so, skip it.
         # The below is a simple and imperfect check based on the issue title.
@@ -175,9 +298,14 @@ class GitHubClient:
                         existing_issue["url"],
                         headers=self.issue_headers,
                         data=json.dumps(body),
+                        timeout=TIMEOUT,
                     )
                     return update_request.status_code
 
+        debug(
+            f"""No existing issue found for "{issue.rustsec_id}". Creating new issue."""
+        )
+
         new_issue_body = {"title": title, "body": issue.body, "labels": issue.labels}
 
         # We need to check if any assignees/milestone specified exist, otherwise issue creation will fail.
@@ -185,7 +313,9 @@ class GitHubClient:
         for assignee in issue.assignees:
             assignee_url = f"{self.repos_url}{self.repo}/assignees/{assignee}"
             assignee_request = requests.get(
-                url=assignee_url, headers=self.issue_headers
+                url=assignee_url,
+                headers=self.issue_headers,
+                timeout=TIMEOUT,
             )
             if assignee_request.status_code == 204:
                 valid_assignees.append(assignee)
@@ -197,6 +327,7 @@ class GitHubClient:
             url=self.issues_url,
             headers=self.issue_headers,
             data=json.dumps(new_issue_body),
+            timeout=TIMEOUT,
         )
 
         return new_issue_request.status_code
@@ -204,7 +335,10 @@ class GitHubClient:
     def close_issue(self, issue: Dict[str, Any]) -> int:
         body = {"state": "closed"}
         close_request = requests.patch(
-            issue["url"], headers=self.issue_headers, data=json.dumps(body)
+            issue["url"],
+            headers=self.issue_headers,
+            data=json.dumps(body),
+            timeout=TIMEOUT,
         )
         return close_request.status_code
 
@@ -261,12 +395,26 @@ def run() -> None:
             ignore_args.append("--ignore")
             ignore_args.append(ign)
 
+    extra_args = []
+    if os.environ["INPUT_DENY_WARNINGS"] == "true":
+        extra_args.append("--deny")
+        extra_args.append("warnings")
+
+    if os.environ["INPUT_FILE"] != "":
+        extra_args.append("--file")
+        extra_args.append(os.environ["INPUT_FILE"])
+
+    audit_cmd = ["cargo", "audit", "--json"] + extra_args + ignore_args
+    debug(f"Running command: {audit_cmd}")
     completed = subprocess.run(
-        ["cargo", "audit", "--json"] + ignore_args,
+        audit_cmd,
         capture_output=True,
         text=True,
         check=False,
     )
+    debug(f"Command return code: {completed.returncode}")
+    debug(f"Command output: {completed.stdout}")
+    debug(f"Command error: {completed.stderr}")
     data = json.loads(completed.stdout)
 
     summary = create_summary(data)
@@ -300,7 +448,7 @@ def run() -> None:
         num_existing_issues = len(gh_client.existing_issues)
         for entry in entries:
             for ex_issue in gh_client.existing_issues:
-                if ex_issue["title"].startswith(entry.entry["advisory"]["id"]):
+                if ex_issue["title"].startswith(entry.id()):
                     gh_client.existing_issues.remove(ex_issue)
         num_old_issues = len(gh_client.existing_issues)
         print(