mirror of
https://github.com/actions-rust-lang/audit.git
synced 2025-12-28 05:31:49 -05:00
Compare commits
36 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
160ac8b6ed | ||
|
|
b8800a8c21 | ||
|
|
1010e1e336 | ||
|
|
72f0fdca3b | ||
|
|
cbff13557b | ||
|
|
08bf11f3ea | ||
|
|
7049db077c | ||
|
|
e8ea165957 | ||
|
|
1926841165 | ||
|
|
08a60eccbb | ||
|
|
16af786dc7 | ||
|
|
ddc21578b3 | ||
|
|
c37ceabcab | ||
|
|
342fdff255 | ||
|
|
b719ea468c | ||
|
|
25528f1e0b | ||
|
|
f4430692fd | ||
|
|
0f2a92891d | ||
|
|
c248204ea6 | ||
|
|
e7db852e4a | ||
|
|
494d723603 | ||
|
|
50559e3f2c | ||
|
|
27b62ea8ec | ||
|
|
e207bcd5c9 | ||
|
|
7d76eb83b1 | ||
|
|
3e63858e0b | ||
|
|
5308f89d29 | ||
|
|
65c5146921 | ||
|
|
6e072ef47a | ||
|
|
8001bc456e | ||
|
|
cbfe81d58f | ||
|
|
89b10d9af6 | ||
|
|
61ccdfe0c5 | ||
|
|
959eb6cc5c | ||
|
|
96eb2dcbe4 | ||
|
|
6943412b48 |
@@ -1,10 +1,10 @@
|
||||
repos:
|
||||
- repo: https://github.com/psf/black
|
||||
rev: 23.12.1
|
||||
rev: 24.4.2
|
||||
hooks:
|
||||
- id: black
|
||||
- repo: https://github.com/pre-commit/pre-commit-hooks
|
||||
rev: v4.5.0
|
||||
rev: v4.6.0
|
||||
hooks:
|
||||
- id: check-ast
|
||||
- id: check-case-conflict
|
||||
@@ -20,18 +20,18 @@ repos:
|
||||
- id: isort
|
||||
args: ["--profile=black"]
|
||||
- repo: https://github.com/asottile/pyupgrade
|
||||
rev: v3.15.0
|
||||
rev: v3.15.2
|
||||
hooks:
|
||||
- id: pyupgrade
|
||||
args: ["--py37-plus"]
|
||||
- repo: https://github.com/pre-commit/mirrors-mypy
|
||||
rev: v1.8.0
|
||||
rev: v1.10.0
|
||||
hooks:
|
||||
- id: mypy
|
||||
additional_dependencies:
|
||||
- types-requests
|
||||
- repo: https://github.com/python-jsonschema/check-jsonschema
|
||||
rev: 0.27.3
|
||||
rev: 0.28.2
|
||||
hooks:
|
||||
- id: check-dependabot
|
||||
- id: check-github-actions
|
||||
|
||||
12
CHANGELOG.md
12
CHANGELOG.md
@@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||
|
||||
## [Unreleased]
|
||||
|
||||
## [1.1.14] - 2024-02-18
|
||||
|
||||
* Update `cargo-audit` to 0.20.0
|
||||
|
||||
## [1.1.13] - 2024-02-03
|
||||
|
||||
* Update `cargo-audit` to 0.19.0
|
||||
|
||||
## [1.1.12] - 2024-01-20
|
||||
|
||||
* Fix default of `file` argument to make it work again for repositories without `Cargo.lock` checked in.
|
||||
|
||||
## [1.1.11] - 2024-01-18
|
||||
|
||||
* Allow specifying the path to the `Cargo.lock` file, in case it is not in the root of the repository (#55)
|
||||
|
||||
19
README.md
19
README.md
@@ -1,6 +1,6 @@
|
||||
# Audit Rust dependencies using the RustSec Advisory DB
|
||||
|
||||
Audit your Rust dependencies using [cargo audit] and the [RustSec Advisory DB]. The action creates a summary with all vulnerabilieties. It can create issues for each of the found vulnerabilities.
|
||||
Audit your Rust dependencies using [cargo audit] and the [RustSec Advisory DB]. The action creates a summary with all vulnerabilities. It can create issues for each of the found vulnerabilities.
|
||||
|
||||
Execution Summary:
|
||||
|
||||
@@ -44,18 +44,19 @@ jobs:
|
||||
## Inputs
|
||||
|
||||
All inputs are optional.
|
||||
Consider adding a [`audit.toml` configuration file] to your repository for further configurations.
|
||||
Consider adding an [`audit.toml` configuration file] to your repository for further configurations.
|
||||
cargo audit supports multiple warning types, such as unsound code or yanked crates.
|
||||
Configuration is only possible via the `informational_warnings` parameter in the configuration file ([#318](https://github.com/rustsec/rustsec/issues/318)).
|
||||
Setting `denyWarnings` to true will also enable these warnings, but each warning is upgraded to an error.
|
||||
|
||||
| Name | Description | Default |
|
||||
| -------------- | ------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------ |
|
||||
| `TOKEN` | The GitHub access token to allow us to retrieve, create and update issues (automatically set). | `github.token` |
|
||||
| `denyWarnings` | Any warnings generated will be treated as an error and fail the action. | false |
|
||||
| `file` | The path to the Cargo.lock file. | `Cargo.lock` |
|
||||
| `ignore` | A comma separated list of Rustsec IDs to ignore. | |
|
||||
| `createIssues` | Create/Update issues for each found vulnerability. By default only on `main` or `master` branch. | `github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/main'` |
|
||||
| Name | Description | Default |
|
||||
| ------------------ | ------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------ |
|
||||
| `TOKEN` | The GitHub access token to allow us to retrieve, create and update issues (automatically set). | `github.token` |
|
||||
| `denyWarnings` | Any warnings generated will be treated as an error and fail the action. | false |
|
||||
| `file` | The path to the Cargo.lock file to inspect file. | |
|
||||
| `ignore` | A comma separated list of Rustsec IDs to ignore. | |
|
||||
| `createIssues` | Create/Update issues for each found vulnerability. By default only on `main` or `master` branch. | `github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/main'` |
|
||||
| `workingDirectory` | Run `cargo audit` from the given working directory | |
|
||||
|
||||
## License
|
||||
|
||||
|
||||
15
action.yml
15
action.yml
@@ -15,9 +15,9 @@ inputs:
|
||||
required: false
|
||||
default: "false"
|
||||
file:
|
||||
description: "Cargo lockfile to inspect"
|
||||
description: "The path to the Cargo.lock file to inspect"
|
||||
required: false
|
||||
default: "Cargo.lock"
|
||||
default: ""
|
||||
ignore:
|
||||
description: "A comma separated list of Rustsec IDs to ignore"
|
||||
required: false
|
||||
@@ -26,6 +26,10 @@ inputs:
|
||||
description: Create/Update issues for each found vulnerability.
|
||||
required: false
|
||||
default: "${{ github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main' }}"
|
||||
workingDirectory:
|
||||
description: "Run `cargo audit` from the given working directory"
|
||||
required: false
|
||||
default: ""
|
||||
|
||||
runs:
|
||||
using: composite
|
||||
@@ -34,19 +38,19 @@ runs:
|
||||
run: echo "cargohome=${CARGO_HOME:-$HOME/.cargo}" >> $GITHUB_OUTPUT
|
||||
shell: bash
|
||||
id: cargo-home
|
||||
- uses: actions/cache@v3
|
||||
- uses: actions/cache@v4
|
||||
id: cache
|
||||
with:
|
||||
path: |
|
||||
${{ steps.cargo-home.outputs.cargohome }}/bin/cargo-audit*
|
||||
${{ steps.cargo-home.outputs.cargohome }}/.crates.toml
|
||||
${{ steps.cargo-home.outputs.cargohome }}/.crates2.json
|
||||
key: cargo-audit-v0.18.3
|
||||
key: cargo-audit-v0.20.0
|
||||
|
||||
- name: Install cargo-audit
|
||||
if: steps.cache.outputs.cache-hit != 'true'
|
||||
# Update both this version number and the cache key
|
||||
run: cargo install cargo-audit --vers 0.18.3 --no-default-features
|
||||
run: cargo install cargo-audit --vers 0.20.0 --no-default-features --locked
|
||||
shell: bash
|
||||
|
||||
- run: |
|
||||
@@ -59,5 +63,6 @@ runs:
|
||||
INPUT_FILE: ${{ inputs.file }}
|
||||
INPUT_IGNORE: ${{ inputs.ignore }}
|
||||
INPUT_TOKEN: ${{ inputs.TOKEN }}
|
||||
INPUT_WORKING_DIRECTORY: ${{ inputs.workingDirectory }}
|
||||
PYTHONPATH: ${{ github.action_path }}
|
||||
REPO: ${{ github.repository }}
|
||||
|
||||
15
audit.py
15
audit.py
@@ -97,9 +97,11 @@ class Entry:
|
||||
table.append(
|
||||
(
|
||||
"Patched Versions",
|
||||
" OR ".join(self.entry["versions"]["patched"])
|
||||
if len(self.entry["versions"]["patched"]) > 0
|
||||
else "n/a",
|
||||
(
|
||||
" OR ".join(self.entry["versions"]["patched"])
|
||||
if len(self.entry["versions"]["patched"]) > 0
|
||||
else "n/a"
|
||||
),
|
||||
)
|
||||
)
|
||||
if len(self.entry["versions"]["unaffected"]) > 0:
|
||||
@@ -402,15 +404,22 @@ def run() -> None:
|
||||
extra_args.append("--file")
|
||||
extra_args.append(os.environ["INPUT_FILE"])
|
||||
|
||||
working_directory = None
|
||||
if os.environ["INPUT_WORKING_DIRECTORY"] != "":
|
||||
working_directory = os.environ["INPUT_WORKING_DIRECTORY"]
|
||||
|
||||
audit_cmd = ["cargo", "audit", "--json"] + extra_args + ignore_args
|
||||
debug(f"Running command: {audit_cmd}")
|
||||
completed = subprocess.run(
|
||||
audit_cmd,
|
||||
cwd=working_directory,
|
||||
capture_output=True,
|
||||
text=True,
|
||||
check=False,
|
||||
)
|
||||
debug(f"Command return code: {completed.returncode}")
|
||||
debug(f"Command output: {completed.stdout}")
|
||||
debug(f"Command error: {completed.stderr}")
|
||||
data = json.loads(completed.stdout)
|
||||
|
||||
summary = create_summary(data)
|
||||
|
||||
Reference in New Issue
Block a user