Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add workaround for erroneous advisory detection #318

Merged
merged 4 commits into from
Dec 15, 2020

Conversation

Jake-Shadle
Copy link
Member

rustsec used to change how pre-release version requirements were handled compared to the standard semver crate, but this was removed (see https://github.com/RustSec/rustsec-crate/issues/218) causing advisories to be detected incorrectly for pre-release versions (see #316 for a concrete example).

This PR adds a workaround for the behavior by detecting if the crate version in question is a pre-release version, and creates a version without the prelease identifier to match against potential patched/unaffected versions. If the short version is patched/unaffected, we don't emit whatever diagnostic we would have, but do emit a warning saying we skipped it because it was a pre-release, and which patch/unaffected version it matched against to at least notify the user about this.

There are some edge cases in this approach, but considering how relatively rare pre-releases are in general across the ecosystem, I am not super concerned about them, considering that a warning is still emitted so that a user can dive deeper if they are curious or think the advisory is being skipped erroneously.

Resolves: #316

@Jake-Shadle Jake-Shadle merged commit 0fb3ef5 into main Dec 15, 2020
@Jake-Shadle Jake-Shadle deleted the fix-advisory-detection branch December 15, 2020 10:00
@djc
Copy link

djc commented Dec 15, 2020

I'm not seeing this show up in cargo-deny-action yet -- is that expected?

@Jake-Shadle
Copy link
Member Author

Oh, I need to update that sorry. 😬

@djc
Copy link

djc commented Dec 16, 2020

No problem, your work is much appreciated!

@Jake-Shadle
Copy link
Member Author

Ok, this is now available in the latest v1 of cargo-deny-action.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Regression: RUSTSEC-2018-0007 triggers error for trust-dns-proto 0.20.0-alpha.3
2 participants