Add workaround for erroneous advisory detection #318
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
rustsec
used to change how pre-release version requirements were handled compared to the standard semver crate, but this was removed (see https://github.com/RustSec/rustsec-crate/issues/218) causing advisories to be detected incorrectly for pre-release versions (see #316 for a concrete example).This PR adds a workaround for the behavior by detecting if the crate version in question is a pre-release version, and creates a version without the prelease identifier to match against potential patched/unaffected versions. If the short version is patched/unaffected, we don't emit whatever diagnostic we would have, but do emit a warning saying we skipped it because it was a pre-release, and which patch/unaffected version it matched against to at least notify the user about this.
There are some edge cases in this approach, but considering how relatively rare pre-releases are in general across the ecosystem, I am not super concerned about them, considering that a warning is still emitted so that a user can dive deeper if they are curious or think the advisory is being skipped erroneously.
Resolves: #316