Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate cargo-audit #39

Closed
tkornuta-semiotic opened this issue Apr 6, 2023 · 8 comments
Closed

Investigate cargo-audit #39

tkornuta-semiotic opened this issue Apr 6, 2023 · 8 comments
Assignees
@pablogmorales
Labels
question Further information is requested

Comments

@tkornuta-semiotic
Copy link
Contributor

No description provided.

@tkornuta-semiotic
Copy link
Contributor Author

https://crates.io/crates/cargo-audit

@tkornuta-semiotic tkornuta-semiotic added the question Further information is requested label Apr 6, 2023
@tkornuta-semiotic tkornuta-semiotic changed the title To investigate cargo-audit Investigate cargo-audit Apr 6, 2023
@pablogmorales
Copy link
Contributor

pablogmorales commented Apr 10, 2023
edited
Loading

Tested it locally and added to the pipeline as well

{
  "database": {
    "advisory-count": 539,
    "last-commit": "e6600338c880d882655a3bf7e5085fde4bb95e1f",
    "last-updated": "2023-04-08T19:49:55Z"
  },
  "lockfile": {
    "dependency-count": 381
  },
  "settings": {
    "target_arch": null,
    "target_os": null,
    "severity": null,
    "ignore": [],
    "informational_warnings": [
      "unmaintained",
      "unsound",
      "notice"
    ]
  },
  "vulnerabilities": {
    "found": false,
    "count": 0,
    "list": []
  },
  "warnings": {
    "unsound": [
      {
        "kind": "unsound",
        "package": {
          "name": "atty",
          "version": "0.2.14",
          "source": "registry+https://github.com/rust-lang/crates.io-index",
          "checksum": "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8",
          "dependencies": [
            {
              "name": "hermit-abi",
              "version": "0.1.19",
              "source": "registry+https://github.com/rust-lang/crates.io-index"
            },
            {
              "name": "libc",
              "version": "0.2.141",
              "source": "registry+https://github.com/rust-lang/crates.io-index"
            },
            {
              "name": "winapi",
              "version": "0.3.9",
              "source": "registry+https://github.com/rust-lang/crates.io-index"
            }
          ],
          "replace": null
        },
        "advisory": {
          "id": "RUSTSEC-2021-0145",
          "package": "atty",
          "title": "Potential unaligned read",
          "description": "On windows, `atty` dereferences a potentially unaligned pointer.\n\nIn practice however, the pointer won't be unaligned unless a custom global allocator is used.\n\nIn particular, the `System` allocator on windows uses `HeapAlloc`, which guarantees a large enough alignment.\n\n# atty is Unmaintained\n\nA Pull Request with a fix has been provided over a year ago but the maintainer seems to be unreachable.\n\nLast release of `atty` was almost 3 years ago.\n\n## Possible Alternative(s)\n\nThe below list has not been vetted in any way and may or may not contain alternatives;\n\n - [is-terminal](https://crates.io/crates/is-terminal)\n - std::io::IsTerminal *nightly-only experimental*",
          "date": "2021-07-04",
          "aliases": [],
          "related": [],
          "collection": "crates",
          "categories": [],
          "keywords": [
            "unaligned-read"
          ],
          "cvss": null,
          "informational": "unsound",
          "references": [
            "https://github.com/softprops/atty/pull/51",
            "https://github.com/softprops/atty/issues/57"
          ],
          "source": null,
          "url": "https://github.com/softprops/atty/issues/50",
          "withdrawn": null
        },
        "versions": {
          "patched": [],
          "unaffected": []
        }
      }
    ],
    "yanked": [
      {
        "kind": "yanked",
        "package": {
          "name": "crossbeam-channel",
          "version": "0.5.7",
          "source": "registry+https://github.com/rust-lang/crates.io-index",
          "checksum": "cf2b3e8478797446514c91ef04bafcb59faba183e621ad488df88983cc14128c",
          "dependencies": [
            {
              "name": "cfg-if",
              "version": "1.0.0",
              "source": "registry+https://github.com/rust-lang/crates.io-index"
            },
            {
              "name": "crossbeam-utils",
              "version": "0.8.15",
              "source": "registry+https://github.com/rust-lang/crates.io-index"
            }
          ],
          "replace": null
        },
        "advisory": null,
        "versions": null
      }
    ]
  }
}

@pablogmorales
Copy link
Contributor

@aasseman
Cargo audit fails on Critical issues and it seems you need to review the action logs to check it's findings, I can push the json report and push it to the bucket if we want/need it.

image

@aasseman
Copy link
Contributor

Not sure what that means. Can't we at least visualize that more easily in the SBOM UI?

@tkornuta-semiotic
Copy link
Contributor Author

Push the report tot the security VM

@pablogmorales
Copy link
Contributor

image

@pablogmorales
Copy link
Contributor

@aasseman
@ColePBryan
Something like this?

image

@ColePBryan
Copy link
Contributor

Would it be possible to have that be a comment in the PR instead of an email?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pablogmorales pablogmorales

Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ColePBryan @pablogmorales @aasseman @tkornuta-semiotic