[PATCH] make-release-tarball.sh: run cargo audit

[PATCH] make-release-tarball.sh: run cargo audit

[David Disseldorp]

cargo audit can be used to check bcachefs dependencies for
vulnerabilities published in the advisory database at
https://github.com/RustSec/advisory-db.git

Given the significant size of dependency sources (currently ~292M),
manual audit is mostly unviable, so rely on this for now.

Audit failure will halt tarball generation with e.g. v1.4.1:
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 595 security advisories (from /home/david/.cargo/advisory-db)
    Updating crates.io index
    Scanning rust-src/Cargo.lock for vulnerabilities (98 crate dependencies)
Crate:     shlex
Version:   1.2.0
Title:     Multiple issues involving quote API
Date:      2024-01-21
ID:        RUSTSEC-2024-0006
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0006
Solution:  Upgrade to >=1.3.0
Dependency tree:
shlex 1.2.0
└── bindgen 0.64.0
    └── bch_bindgen 0.1.0
        └── bcachefs-rust 0.3.1

Crate:     atty
Version:   0.2.14
Warning:   unsound
Title:     Potential unaligned read
Date:      2021-07-04
ID:        RUSTSEC-2021-0145
URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
└── bcachefs-rust 0.3.1

error: 1 vulnerability found!
warning: 1 allowed warning found

Signed-off-by: David Disseldorp <ddiss@suse.de>
---
 make-release-tarball.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/make-release-tarball.sh b/make-release-tarball.sh
index c468da7..51875b0 100755
--- a/make-release-tarball.sh
+++ b/make-release-tarball.sh
@@ -7,6 +7,8 @@ version=$1
 git checkout v$version
 git clean -xfd
 
+cargo audit
+
 cargo license > COPYING.rust-dependencies
 
 git ls-files|
-- 
2.35.3

Re: [PATCH] make-release-tarball.sh: run cargo audit

[David Disseldorp]

Any feedback on this change?

Thanks, David

On Tue, 30 Jan 2024 18:03:56 +1100, David Disseldorp wrote:

> cargo audit can be used to check bcachefs dependencies for
> vulnerabilities published in the advisory database at
> https://github.com/RustSec/advisory-db.git
> 
> Given the significant size of dependency sources (currently ~292M),
> manual audit is mostly unviable, so rely on this for now.
> 
> Audit failure will halt tarball generation with e.g. v1.4.1:
>     Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
>       Loaded 595 security advisories (from /home/david/.cargo/advisory-db)
>     Updating crates.io index
>     Scanning rust-src/Cargo.lock for vulnerabilities (98 crate dependencies)
> Crate:     shlex
> Version:   1.2.0
> Title:     Multiple issues involving quote API
> Date:      2024-01-21
> ID:        RUSTSEC-2024-0006
> URL:       https://rustsec.org/advisories/RUSTSEC-2024-0006
> Solution:  Upgrade to >=1.3.0
> Dependency tree:
> shlex 1.2.0
> └── bindgen 0.64.0
>     └── bch_bindgen 0.1.0
>         └── bcachefs-rust 0.3.1
> 
> Crate:     atty
> Version:   0.2.14
> Warning:   unsound
> Title:     Potential unaligned read
> Date:      2021-07-04
> ID:        RUSTSEC-2021-0145
> URL:       https://rustsec.org/advisories/RUSTSEC-2021-0145
> Dependency tree:
> atty 0.2.14
> └── bcachefs-rust 0.3.1
> 
> error: 1 vulnerability found!
> warning: 1 allowed warning found
> 
> Signed-off-by: David Disseldorp <ddiss@suse.de>
> ---
>  make-release-tarball.sh | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/make-release-tarball.sh b/make-release-tarball.sh
> index c468da7..51875b0 100755
> --- a/make-release-tarball.sh
> +++ b/make-release-tarball.sh
> @@ -7,6 +7,8 @@ version=$1
>  git checkout v$version
>  git clean -xfd
>  
> +cargo audit
> +
>  cargo license > COPYING.rust-dependencies
>  
>  git ls-files|

Re: [PATCH] make-release-tarball.sh: run cargo audit

[Kent Overstreet]

On Tue, Jan 30, 2024 at 06:03:56PM +1100, David Disseldorp wrote:
> cargo audit can be used to check bcachefs dependencies for
> vulnerabilities published in the advisory database at
> https://github.com/RustSec/advisory-db.git
> 
> Given the significant size of dependency sources (currently ~292M),
> manual audit is mostly unviable, so rely on this for now.

Not a good place for this, workflow-wise; I run make-release-tarball.sh
after the new release is tagged and frequently after the tag is
uploaded.

This would better be run as some sort of cron job that emails results to
the list when something is found.

Re: [PATCH] make-release-tarball.sh: run cargo audit

[David Disseldorp]

On Thu, 7 Mar 2024 21:16:02 -0500, Kent Overstreet wrote:

> On Tue, Jan 30, 2024 at 06:03:56PM +1100, David Disseldorp wrote:
> > cargo audit can be used to check bcachefs dependencies for
> > vulnerabilities published in the advisory database at
> > https://github.com/RustSec/advisory-db.git
> > 
> > Given the significant size of dependency sources (currently ~292M),
> > manual audit is mostly unviable, so rely on this for now.  
> 
> Not a good place for this, workflow-wise; I run make-release-tarball.sh
> after the new release is tagged and frequently after the tag is
> uploaded.
> 
> This would better be run as some sort of cron job that emails results to
> the list when something is found.

Fair enough, will set something up as part of the downstream (openSUSE)
release process.