Bump cargo-audit to 0.17.4

updates:
- [github.com/asottile/pyupgrade: v3.1.0 → v3.2.0](https://github.com/asottile/pyupgrade/compare/v3.1.0...v3.2.0)

.github/workflows/autotag-releases.yml

@@ -19,7 +19,7 @@ jobs:
       - name: Get version from tag
         id: tag_name
         run: |
-          echo ::set-output name=current_version::${GITHUB_REF#refs/tags/}
+          echo "current_version=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
         shell: bash
       - name: Create and push tags
         run: |

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/psf/black
-    rev: 22.6.0
+    rev: 22.10.0
     hooks:
       - id: black
   - repo: https://github.com/pre-commit/pre-commit-hooks
@@ -20,12 +20,12 @@ repos:
       - id: isort
         args: ["--profile=black"]
   - repo: https://github.com/asottile/pyupgrade
-    rev: v2.37.3
+    rev: v3.2.0
     hooks:
       - id: pyupgrade
         args: ["--py37-plus"]
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v0.971
+    rev: v0.982
     hooks:
       - id: mypy
         additional_dependencies:

CHANGELOG.md

@@ -7,9 +7,34 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.1.2] - 2022-11-09
+
+### Changed
+
+* Update `cargo-audit` to 0.17.4 which fixes checking for yanked crates.
+
+## [1.1.1] - 2022-10-13
+
+### Changed
+
+* Switch from set-output to $GITHUB_OUTPUT to avoid warning
+    https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
+
+## [1.1.0] - 2022-08-14
+
+### Added
+
+* Present aliases for the RustSec ID and related advisories in the overview table (#1).
+
+### Changed
+
+* Setting `denyWarnings` will now pass `--deny warnings` to cargo audit.
+
 ## [1.0.1] - 2022-08-09
 
-Create proper release tags.
+### Added
+
+* Create proper release tags.
 
 ## [1.0.0] - 2022-08-09
 

README.md

@@ -13,10 +13,18 @@ name: "Audit Dependencies"
 on:
   push:
     paths:
+      # Run if workflow changes
+      - '.github/workflows/audit.yml'
+      # Run on changed dependencies
       - '**/Cargo.toml'
       - '**/Cargo.lock'
+      # Run if the configuration file changes
+      - '**/audit.toml'
+  # Rerun periodicly to pick up new advisories
   schedule:
     - cron: '0 0 * * *'
+  # Run manually
+  workflow_dispatch:
 
 permissions: read-all
 
@@ -38,6 +46,9 @@ jobs:
 
 All inputs are optional.
 Consider adding a [`audit.toml` configuration file] to your repository for further configurations.
+cargo audit supports multiple warning types, such as unsound code or yanked crates.
+Configuration is only possible via the `informational_warnings` parameter in the configuration file ([#318](https://github.com/rustsec/rustsec/issues/318)).
+Setting `denyWarnings` to true will also enable these warnings, but each warning is upgraded to an error.
 
 | Name           | Description                                                                                      | Default                                                                  |
 | -------------- | ------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------ |

action.yml

@@ -1,6 +1,6 @@
-name: Audit Rust Dependencies
+name: cargo audit your Rust Dependencies
 description: |
-  Audit Rust dependencies for vulnerabilities or outdated dependencies.
+  Audit Rust dependencies with cargo audit and the RustSec Advisory DB
 branding:
   icon: "shield"
   color: "red"
@@ -33,12 +33,12 @@ runs:
           ${{ env.CARGO_HOME }}/.cargo/bin/cargo-audit*
           ${{ env.CARGO_HOME }}/.cargo/.crates.toml
           ${{ env.CARGO_HOME }}/.cargo/.crates2.json
-        key: cargo-audit-v0.17.0
+        key: cargo-audit-v0.17.4
 
     - name: Install cargo-audit
       if: steps.cache.outputs.cache-hit != 'true'
       # Update both this version number and the cache key
-      run: cargo install cargo-audit --vers 0.17.0
+      run: cargo install cargo-audit --vers 0.17.4 --no-default-features
       shell: bash
 
     - run: |

audit.py

@@ -62,36 +62,88 @@ class Entry:
     def _entry_table(self) -> str:
         advisory = self.entry["advisory"]
 
-        if self.warning_type is None:
-            warning = ""
-        else:
-            warning = f"\n| Warning            | {self.warning_type} |"
-        unaffected = " OR ".join(self.entry["versions"]["unaffected"])
-        if unaffected != "":
-            unaffected = f"\n| Unaffected Versions | `{unaffected}` |"
-        patched = " OR ".join(self.entry["versions"]["patched"])
-        if patched == "":
-            patched = "n/a"
-        else:
-            patched = f"`{patched}`"
-        table = f"""| Details            |                                      |
-| ---                | ---                                  |
-| Package            | `{advisory['package']}`              |
-| Version            | `{self.entry['package']['version']}` |{warning}
-| URL                | <{advisory['url']}>                  |
-| Patched Versions   | {patched}                            |{unaffected}
-"""
-        return table
+        table = []
+        table.append(("Details", ""))
+        table.append(("---", "---"))
+        table.append(("Package", f"`{advisory['package']}`"))
+        table.append(("Version", f"`{self.entry['package']['version']}`"))
+        if self.warning_type is not None:
+            table.append(("Warning", str(self.warning_type)))
+        table.append(("URL", advisory["url"]))
+        table.append(
+            (
+                "Patched Versions",
+                " OR ".join(self.entry["versions"]["patched"])
+                if len(self.entry["versions"]["patched"]) > 0
+                else "n/a",
+            )
+        )
+        if len(self.entry["versions"]["unaffected"]) > 0:
+            table.append(
+                (
+                    "Unaffected Versions",
+                    " OR ".join(self.entry["versions"]["unaffected"]),
+                )
+            )
+        if len(advisory["aliases"]) > 0:
+            table.append(
+                (
+                    "Aliases",
+                    ", ".join(
+                        Entry._md_autolink_advisory_id(advisory_id)
+                        for advisory_id in advisory["aliases"]
+                    ),
+                )
+            )
+        if len(advisory["related"]) > 0:
+            table.append(
+                (
+                    "Related Advisories",
+                    ", ".join(
+                        Entry._md_autolink_advisory_id(advisory_id)
+                        for advisory_id in advisory["related"]
+                    ),
+                )
+            )
+
+        table_parts = []
+        for row in table:
+            table_parts.append("| ")
+            table_parts.append(row[0])
+            table_parts.append(" | ")
+            table_parts.append(row[1])
+            table_parts.append(" |\n")
+
+        return "".join(table_parts)
+
+    @classmethod
+    def _md_autolink_advisory_id(cls, advisory_id: str) -> str:
+        """
+        If a supported advisory format, such as GHSA- is detected, return a markdown link.
+        Otherwise return the ID as text.
+        """
+
+        if advisory_id.startswith("GHSA-"):
+            return f"[{advisory_id}](https://github.com/advisories/{advisory_id})"
+        if advisory_id.startswith("CVE-"):
+            return f"[{advisory_id}](https://nvd.nist.gov/vuln/detail/{advisory_id})"
+        if advisory_id.startswith("RUSTSEC-"):
+            return f"[{advisory_id}](https://rustsec.org/advisories/{advisory_id})"
+        return advisory_id
 
     def format_as_markdown(self) -> str:
         advisory = self.entry["advisory"]
 
         entry_table = self._entry_table()
+        # Replace the @ with a ZWJ to avoid triggering markdown autolinks
+        # Otherwise GitHub will interpret the @ as a mention
+        description = advisory["description"].replace("@", "@\u200d")
+
         md = f"""## {self.entry_type.icon()} {advisory['id']}: {advisory['title']}
 
 {entry_table}
 
-{advisory['description']}
+{description}
 """
         return md
 
@@ -141,7 +193,6 @@ class GitHubClient:
         list_issues_request = requests.get(
             self.issues_url, headers=self.issue_headers, params=params
         )
-        print(f"DBG: {list_issues_request.status_code=}")
         if list_issues_request.status_code == 200:
             self.existing_issues.extend(
                 [
@@ -261,8 +312,13 @@ def run() -> None:
             ignore_args.append("--ignore")
             ignore_args.append(ign)
 
+    extra_args = []
+    if os.environ["INPUT_DENY_WARNINGS"] == "true":
+        extra_args.append("--deny")
+        extra_args.append("warnings")
+
     completed = subprocess.run(
-        ["cargo", "audit", "--json"] + ignore_args,
+        ["cargo", "audit", "--json"] + extra_args + ignore_args,
         capture_output=True,
         text=True,
         check=False,