[PATCH] make-release-tarball.sh: run cargo audit

public inbox for linux-bcachefs@vger.kernel.org
 help / color / mirror / Atom feed

From: David Disseldorp <ddiss@suse.de>
To: linux-bcachefs@vger.kernel.org
Cc: David Disseldorp <ddiss@suse.de>
Subject: [PATCH] make-release-tarball.sh: run cargo audit
Date: Tue, 30 Jan 2024 18:03:56 +1100	[thread overview]
Message-ID: <20240130070356.8174-1-ddiss@suse.de> (raw)

cargo audit can be used to check bcachefs dependencies for
vulnerabilities published in the advisory database at
https://github.com/RustSec/advisory-db.git

Given the significant size of dependency sources (currently ~292M),
manual audit is mostly unviable, so rely on this for now.

Audit failure will halt tarball generation with e.g. v1.4.1:
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 595 security advisories (from /home/david/.cargo/advisory-db)
    Updating crates.io index
    Scanning rust-src/Cargo.lock for vulnerabilities (98 crate dependencies)
Crate:     shlex
Version:   1.2.0
Title:     Multiple issues involving quote API
Date:      2024-01-21
ID:        RUSTSEC-2024-0006
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0006
Solution:  Upgrade to >=1.3.0
Dependency tree:
shlex 1.2.0
└── bindgen 0.64.0
    └── bch_bindgen 0.1.0
        └── bcachefs-rust 0.3.1

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
└── bcachefs-rust 0.3.1

error: 1 vulnerability found!
warning: 1 allowed warning found

Signed-off-by: David Disseldorp <ddiss@suse.de>
---
 make-release-tarball.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/make-release-tarball.sh b/make-release-tarball.sh
index c468da7..51875b0 100755
--- a/make-release-tarball.sh
+++ b/make-release-tarball.sh
@@ -7,6 +7,8 @@ version=$1
 git checkout v$version
 git clean -xfd
 
+cargo audit
+
 cargo license > COPYING.rust-dependencies
 
 git ls-files|
-- 
2.35.3

next             reply	other threads:[~2024-01-30  7:04 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-30  7:03 David Disseldorp [this message]
2024-03-05  0:49 ` [PATCH] make-release-tarball.sh: run cargo audit David Disseldorp
2024-03-08  2:16 ` Kent Overstreet
2024-03-08  3:59   ` David Disseldorp

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:c468da7 dfblob:51875b0 )
 OR (
bs:"[PATCH] make-release-tarball.sh: run cargo audit" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240130070356.8174-1-ddiss@suse.de \
    --to=ddiss@suse.de \
    --cc=linux-bcachefs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox