Bug: Check for advisories doesn't seem to work on 0.14.19

[ghost]

Describe the bug

After having installed the latest version of cargo-deny (0.14.19) and running cargo deny check advisories in a Rust workspace, I'm met with the following error:

[ERROR] failed to fetch advisory database https://github.com/rustsec/advisory-db: An IO error occurred when talking to the server: error sending request for url (https://github.com/rustsec/advisory-db/info/refs?service=git-upload-pack): client error (Connect)

I'm not sure what the problem is since I can download the file with curl:

curl https://github.com/rustsec/advisory-db/info/refs?service=git-upload-pack --output foo

The used db-urls in deny.toml is the same as in the book.
I get the same issue when using the deny.toml from this repository as well:
https://github.com/EmbarkStudios/cargo-deny/blob/main/deny.toml

I've encountered this problem while using both Ubuntu 22.04 (as OS) and inside a rust:1.76-slim docker container.

To reproduce

1. Install the latest version of cargo-deny:
   cargo install --version 0.14.19 cargo-deny
2. Position yourself inside a Rust project with a deny.toml. You can grab an example from here: https://github.com/EmbarkStudios/cargo-deny/blob/main/deny.toml
3. Run:
   cargo deny check advisories

cargo-deny version

cargo-deny 0.14.19

What OS were you running cargo-deny on?

Linux

Additional context

No response

[Jake-Shadle]

Can you confirm that older versions still work? I'm unable to repro this so feels like a client side issue (behind proxy or something?).

[hmacias-avaya]

0.14.14 working ok for me. A colleague running 0.14.19 is seeing this same issue

[hmacias-avaya]

..after upgrading it fails for me as well. I'm not behind any vpn or proxy:

2024-03-22 15:15:13 [INFO] gathered 346 crates in 449ms
2024-03-22 15:15:13 [ERROR] failed to fetch advisory database https://github.com/rustsec/advisory-db: failed to prepare fetch: An IO error occurred when talking to the server: error sending request for url (https://github.com/rustsec/advisory-db/info/refs?service=git-upload-pack)

[hmacias-avaya]

using 0.14.19 shows that issue. Compiling from current head 621ff39 seems to work just fine 🤷

[Jake-Shadle]

That does not make sense, there was no change between them that would affect this.

[ilpanich]

It is a little bit weird guys: on my laptop running archlinux it works perfectly; instead when I try to build with the official rust docker image 1.7.0-slim-bookworm I got the issue.
Version 0.14.18 works on 1.7.0-slim-bookworm.

[hmacias-avaya]

I know it still sounds weird(er), but if I install version 0.14.19:

cargo install cargo-deny --version 0.14.19 --force 

and do a cargo deny check, I see the same error every single time.

If I build from source on commit c16388b (tag: 0.14.19) then it works fine for me both building in release and non-release modes.

[amousset]

I could reproduce the issue (both with cargo deny and cargo audit), I 'm investigating.

[Jake-Shadle]

I can repro this, I believe I know what is happening.

[Jake-Shadle]

The issue is that gix-transport 0.41.3, or one of the updated dependencies it uses, has a bug. Again, the recommended way to install cargo-deny, as stated in the README, is to use --locked when running cargo install, as otherwise bugs or semver breakages which are not tested in CI can occur.

[ghost]

Thank you, @Jake-Shadle for the quick response and fix, I've followed through and it was quite the rabbit hole. I can confirm cargo-deny 0.14.20 works, though I think I will move to installing cargo-deny with --lock into the image.

[yurnery]

1. clear the allow scope in deny.toml
2. run cargo deny check, it will fail.
3. fill licenses in the allow scope again.
4. it works.

It works for me