WARNING: Dependency file was never scanned:... errors

[S-Coyle]

I'd like to run cargo-geiger as a stage in our CI, for information only. I've tried it out locally & on CI on a couple of our crates and I seem to always see WARNING: Dependency file was never scanned:... warnings, which cause the CI step to exit with 1, i.e. fail.
See example on CI here.

Tried running cargo update and cargo +nightly udeps to help rule out there being an outdated or unused dep in there but no difference/no unused deps.

Are you able to shed any light on why it's not scanning some dependency files?

[anderejd]

Thanks for the report!

I'm guessing this could be related to procedural macros. The next step should be to create a minimal example project using rustversion that seems to be involved.

[qrilka]

@S-Coyle GitHub returns

No check run found with ID 1443079338 for this pull request.

for the URL you posted. Does this warning still appear? I couldn't reproduce it locally on the latest commit of bls_signature_aggregator

[S-Coyle]

@qrilka Thanks for taking a look - seems those warnings are not present any more 🎉 (new scan link here).

There's been minimal development in the linked crate I tested this on since I reported this issue last year, so I suspect the fix has come from the cargo-geiger end, great to see it working for me 😄

I assume it's ok to close this issue

[S-Coyle]

@qrilka I'm reopening as I've just tried in another of our repos and I'm seeing 4 of the same WARNING: Dependency file was never scanned:... errors. See here for an up to date example

Update - tried in a selection of our other repos locally & seems the larger crates all fail with the warnings, while the simpler/smaller crates are usually fine.

[qrilka]

Just to keep it here if GitHub will delete the action run above:
it's commit e788f5587c3492a82d25e3c0ffa2effcc963c075 of https://github.com/maidsafe/sn_messaging
and the lines with warning are:

0/0        13/13        0/0    0/0     0/0      !  ├── tiny-keccak 2.0.2
451
0/0        0/0          0/0    0/0     0/0      ?  └── xor_name 1.1.11
452
                                                  [dev-dependencies]
453
WARNING: Dependency file was never scanned: /usr/share/rust/.cargo/registry/src/github.com-1ecc6299db9ec823/typenum-1.12.0/src/private.rs
454
WARNING: Dependency file was never scanned: /usr/share/rust/.cargo/registry/src/github.com-1ecc6299db9ec823/typenum-1.12.0/src/type_operators.rs
455
WARNING: Dependency file was never scanned: /usr/share/rust/.cargo/registry/src/github.com-1ecc6299db9ec823/typenum-1.12.0/src/uint.rs
456
WARNING: Dependency file was never scanned: /usr/share/rust/.cargo/registry/src/github.com-1ecc6299db9ec823/base-x-0.2.8/src/decoder.rs
457
0/14       0/364        0/2    0/0     0/11     ?  ├── anyhow 1.0.38
458
0/0        6/6          0/0    0/0     0/0      !  └── rand_xorshift 0.2.0

#119 seems to be also valid in this case :)

[mleonhard]

I'm getting this error with cargo-geiger built from source today (commit 8d1a264) running on a project that uses rustls:

+ cargo geiger --update-readme --readme-path Readme.md.tmp --output-format GitHubMarkdown
   Compiling cc v1.0.67
    Checking spin v0.5.2
    Checking untrusted v0.7.1
   Compiling log v0.4.14
    Checking cfg-if v1.0.0
    Checking base64 v0.13.0
    Checking rustls-pemfile v0.2.0
   Compiling ring v0.16.20
    Checking webpki v0.21.4
    Checking sct v0.6.0
    Checking rustls v0.19.0
    Checking ...
    Finished dev [unoptimized + debuginfo] target(s) in 10.00s
    Scanning done
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-ecdsa-p256.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-ed25519.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-rsa-encryption.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-rsa-pkcs1-sha512.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-ecdsa-p384.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-rsa-pss-sha512.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/ring-0.16.20/src/ec/suite_b/ecdsa/ecPublicKey_p256_pkcs8_v1_template.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/ring-0.16.20/src/ec/suite_b/ecdsa/ecPublicKey_p384_pkcs8_v1_template.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-rsa-pkcs1-sha384.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-ecdsa-sha256.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-rsa-pss-sha256.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/ring-0.16.20/src/ec/curve25519/ed25519/ed25519_pkcs8_v2_template.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-ecdsa-sha384.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-rsa-pkcs1-sha256.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/ring-0.16.20/src/data/alg-rsa-encryption.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-rsa-pss-sha384.der
error: Found 16 warnings

[pinkforest]

Things have changed a bit over a year -

However -

Just sum summarum from current state here - two different errors right now -

• First is code that should be perhaps included or not included and
• Second is about geiger for some reason including the DER data files which we may be able to prevent as it's not code.

Not getting any warnings on maidsafe/bls_signature_aggregator w/ current 0.11.2 or git version to replicate

repro

    docker run -ti --rm rust /bin/bash
    cargo install cargo-geiger --git https://github.com/rust-secure-code/cargo-geiger --force
    mkdir app ; cd app
    git clone <repo> .
    cargo geiger

Meanwhile for maidsafe/sn_messaging (I had to bump dbg that was using unavailable aes dep) gives error on base-x crate which comes via multibase dependency (real e.g. non-build/dev dep)

    Finished dev [unoptimized + debuginfo] target(s) in 18.21s
Failed to parse file: /usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/base-x-0.2.8/src/decoder.rs, Syn(Error("expected one of: `::`, `<`, `_`, literal, `const`, `ref`, `mut`, `&`, parentheses, square brackets, `..`, `const`"), "/usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/base-x-0.2.8/src/decoder.rs") 
    Scanning done
WARNING: Dependency file was never scanned: /usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/base-x-0.2.8/src/decoder.rs

It might be something to do with this

   Updating crates.io index
   Compiling base-x v0.2.8 (/app)
warning: anonymous parameters are deprecated and will be removed in the next edition
  --> src/decoder.rs:16:13
   |
16 |     fn iter(&'a str) -> Self::Iter;
   |             ^^^^^^^ help: try naming the parameter or explicitly ignoring it: `_: &'a str`
   |
   = note: `#[warn(anonymous_parameters)]` on by default
   = warning: this is accepted in the current edition (Rust 2015) but is a hard error in Rust 2018!
   = note: for more information, see issue #41686 <https://github.com/rust-lang/rust/issues/41686>

warning: anonymous parameters are deprecated and will be removed in the next edition
  --> src/decoder.rs:17:21
   |
17 |     fn carry(&self, <Self::Iter as std::iter::Iterator>::Item) -> Option<u32>;
   |                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ help: try naming the parameter or explicitly ignoring it: `_: <Self::Iter as std::iter::Iterator>::Item`
   |
   = warning: this is accepted in the current edition (Rust 2015) but is a hard error in Rust 2018!
   = note: for more information, see issue #41686 <https://github.com/rust-lang/rust/issues/41686>

warning: `base-x` (lib) generated 2 warnings
    Finished dev [unoptimized + debuginfo] target(s) in 1.43s

Actions To Resolve

• Figure out what to do with base-x compile warnings whether this messes up things
• See if we can remove warnings from .DER data files and whether this is feasible
• Document expectations what/what not on Warnings
• Improve Warnings reporting in general (Next Major version)

@mleonhard if you could - we could have the .DER issue separately "DER Data files Warning" if you want to raise or I can just comment progress here - thanks a lot 💜

[lestephane]

I'm getting this error, and it's not related to DER files, exactly what does it mean (I've read the comments and am none the wiser)?

$ cargo geiger --all-dependencies
    Checking reverse_string v1.2.0 (SCRUBBED/reverse-string)
    Finished dev [unoptimized + debuginfo] target(s) in 0.16s
    Scanning done
WARNING: Dependency file was never scanned: SCRUBBED/.cargo/registry/src/github.com-1ecc6299db9ec823/unicode-segmentation-1.9.0/src/word.rs
WARNING: Dependency file was never scanned: SCRUBBED/.cargo/registry/src/github.com-1ecc6299db9ec823/unicode-segmentation-1.9.0/src/tables.rs
WARNING: Dependency file was never scanned: SCRUBBED/.cargo/registry/src/github.com-1ecc6299db9ec823/unicode-reverse-1.0.8/src/lib.rs
WARNING: Dependency file was never scanned: SCRUBBED/.cargo/registry/src/github.com-1ecc6299db9ec823/unicode-segmentation-1.9.0/src/grapheme.rs
WARNING: Dependency file was never scanned: SCRUBBED/.cargo/registry/src/github.com-1ecc6299db9ec823/unicode-segmentation-1.9.0/src/sentence.rs
WARNING: Dependency file was never scanned: SCRUBBED/.cargo/registry/src/github.com-1ecc6299db9ec823/unicode-segmentation-1.9.0/src/lib.rs

I have the reproduction at hand, since this is a small exercism.io project.