actions-rust-lang / audit Goto Github PK

6.0 1.0 6.0 266 KB

Audit Rust Dependencies using the RustSec Advisory DB

License: MIT License

Python 100.00%

rust ci rust-lang github-actions rustsec cargo-audit security hacktoberfest

audit's Introduction

Audit Rust dependencies using the RustSec Advisory DB

Audit your Rust dependencies using cargo audit and the RustSec Advisory DB. The action creates a summary with all vulnerabilities. It can create issues for each of the found vulnerabilities.

Execution Summary:

Example workflow

name: "Audit Dependencies"
on:
  push:
    paths:
      # Run if workflow changes
      - '.github/workflows/audit.yml'
      # Run on changed dependencies
      - '**/Cargo.toml'
      - '**/Cargo.lock'
      # Run if the configuration file changes
      - '**/audit.toml'
  # Rerun periodicly to pick up new advisories
  schedule:
    - cron: '0 0 * * *'
  # Run manually
  workflow_dispatch:

jobs:
  audit:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      issues: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions-rust-lang/audit@v1
        name: Audit Rust Dependencies
        with:
          # Comma separated list of issues to ignore
          ignore: RUSTSEC-2020-0036

Inputs

All inputs are optional. Consider adding an audit.toml configuration file to your repository for further configurations. cargo audit supports multiple warning types, such as unsound code or yanked crates. Configuration is only possible via the informational_warnings parameter in the configuration file (#318). Setting denyWarnings to true will also enable these warnings, but each warning is upgraded to an error.

Name	Description	Default
`TOKEN`	The GitHub access token to allow us to retrieve, create and update issues (automatically set).	`github.token`
`denyWarnings`	Any warnings generated will be treated as an error and fail the action.	false
`file`	The path to the Cargo.lock file to inspect file.
`ignore`	A comma separated list of Rustsec IDs to ignore.
`createIssues`	Create/Update issues for each found vulnerability. By default only on `main` or `master` branch.	`github.ref == 'refs/heads/master' \|\| github.ref == 'refs/heads/main'`
`workingDirectory`	Run `cargo audit` from the given working directory

License

The scripts and documentation in this project are released under the MIT License.

audit's People

Contributors

Stargazers

Watchers

Forkers

notmandatory clechasseur reedloden autarch mbergkvist lwshang

audit's Issues

Allow configuring the root of the Rust project

The action currently assumes that the Rust project is directly in the root of the repository. This is not always the case, but Action cannot be configured with a working directory. Instead, a separate input is necessary. This was also requested as PROJECT_PATH for the audit-check action. actions-rs/audit-check#116

Who controls `actions-rust-lang`?

I love the idea of an organisation providing a set of Rust actions. @svartalf provided a useful set of Rust actions that were highly appreciated but he then effectively disappeared from the scene. An organisation should hopefully be better at surviving a member being hit by the metaphorical bus.

But...

Who is actions-rust-lang?

Does the organization have some sort of governing body?

Is the governing body able to assign new maintainers if some fall away?

How does the organization deal with security issues in the actions themselves, such as a maintainer going evil and exfiltrating keys?

actions/cache@v4 does not exist

Maybe it was deleted over night? I suddenly get failing cargo audits saying that actions/cache@v4 cannot be found. Checking out the actions/cache repo, there is no v4 tag at the moment.

TypeError: sequence item 23: expected str instance, NoneType found

I just started seeing this show up in one of my projects. You can see a failed run at https://github.com/houseabsolute/ubi/actions/runs/5945628024/job/16126518444

I'm not sure what's going on here. It just appeared out of the blue.

No tag for release 1.1.7

In the changelog I can see you have released version 1.1.7. But there is no git tag for it. Also, when I try to use this action with uses: actions-rust-lang/audit@v1 it still uses 1.1.6. If I specifically specify 1.1.7 I get this error:

Error: Unable to resolve action `actions-rust-lang/[email protected]`, unable to find version `v1.1.7`

List aliases of vulnerabilities

A single Rustsec ID can match multiple CVEs and also GHSA entries. The aliases should be part of the details table and link to the corresponding CVE and GHSA entries.

make working-directory configurable

Hey,

I want to use this workflow in my monorepo.
I can configure where the Cargo.lock file is located but not where the audit.toml file is located.
So I think the easiest solution is to make the working-directoy configurable.

TypeError: 'NoneType' object is not subscriptable

Hello, I'm getting the following error:

Received 0 of 3589271 (0.0%), 0.0 MBs/sec
Received 3589271 of 3589271 (100.0%), 3.3 MBs/sec
Cache Size: ~3 MB (3589271 B)
/usr/bin/tar --use-compress-program unzstd -xf /home/runner/work/_temp/763078f7-6abf-480e-99a0-976057797b44/cache.tzst -P -C /home/runner/work/oneschema/oneschema
Cache restored successfully
Cache restored from key: cargo-audit-v0.17.4
Run import audit
1 entries found.
Traceback (most recent call last):
  File "/home/runner/work/_temp/8d9d485b-a9c7-4c6a-8685-a302dcff39aa.py", line 2, in <module>
    audit.run()
  File "/home/runner/work/_actions/actions-rust-lang/audit/v1/audit.py", line [34](https://github.com/oneschema/oneschema/actions/runs/3745287106/jobs/6360913737#step:3:38)2, in run
    step_summary.write(entry.format_as_markdown())
  File "/home/runner/work/_actions/actions-rust-lang/audit/v1/audit.py", line 1[37](https://github.com/oneschema/oneschema/actions/runs/3745287106/jobs/6360913737#step:3:41), in format_as_markdown
    entry_table = self._entry_table()
  File "/home/runner/work/_actions/actions-rust-lang/audit/v1/audit.py", line 68, in _entry_table
    table.append(("Package", f"`{advisory['package']}`"))
TypeError: 'NoneType' object is not subscriptable

My workflow looks like this:

name: "Audit Dependencies"
on:
  push:
    paths:
      # Run if this workflow file changes
      - ".github/workflows/audit.yml"
      # Run on changed dependencies
      - "**/Cargo.toml"
      - "**/Cargo.lock"

jobs:
  cargo-audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions-rust-lang/audit@v1
        name: Audit Rust Dependencies
        with:
          ignore: RUSTSEC-2020-0071,RUSTSEC-2021-0139
          createIssues: false

Am I doing something incorrect?

cargo install fails with cargo v1.80

This fails when installing cargo audit with cargo v1.80 due to an issue with the locked version of the time dependency. Removing --locked from the install command allows the command to work.

cargo install cargo-audit --vers 0.20.0 --no-default-features

Better explain the use of `informational_warnings` in the config file

cargo audit can show advisories for unsound crates and for yanked ones. Both are not enabled by default. They can be enabled by specifying informational_warnings in the config file, but unfortunately, not properly via the command line (rustsec/rustsec#318). Listing these categories with --deny is an option.