-
Notifications
You must be signed in to change notification settings - Fork 369
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migrate to V3 advisory format #414
Comments
Do we have a format specification listing all the fields (like a schema) and specifying how to parse this format? For example, the handling of "```" occurring in the TOML body or in the description can be ambiguous. I feel that ease of parsing is a necessary constraint for the format, and I'm not comfortable stabilizing it until the proper way to parse it is specified and is found feasible to implement in third-party tooling. |
There are two ways to parse it:
Also per #240 I feel it's a little late to be voicing concerns here. If there's a serious issue we can revert. |
One snag: the linter needs to be updated, since it parses the raw TOML as a |
Yeah, I'm always late with these to the point of being unhelpful 😞 |
WIP PR to translate the database here: #420 |
As proposed in #240 and tracked in #414, this PR translates all advisories into the new "V3" advisory format, which is based on Markdown with leading TOML front matter. This format makes it easier to see rendered Markdown syntax descriptions, whether rendered by an IDE or GitHub. This should help with both crafting advisories initially as well as review, and ideally encourages more lengthy descriptions. Support for this format shipped in `cargo-audit` v0.12.0 on May 6th, 2020.
As proposed in #240 and tracked in #414, this PR translates all advisories into the new "V3" advisory format, which is based on Markdown with leading TOML front matter. This format makes it easier to see rendered Markdown syntax descriptions, whether rendered by an IDE or GitHub. This should help with both crafting advisories initially as well as review, and ideally encourages more lengthy descriptions. Support for this format shipped in `cargo-audit` v0.12.0 on May 6th, 2020.
All advisories have been translated into the new format in #420. We still have the option of rolling back if there are any showstoppers, but so far everything seems to be working normally on versions of |
The only lingering issue right now, I think is this may have broken |
Needed to support new cargo audit advisory format rustsec/advisory-db#414
Needed to support new cargo audit advisory format rustsec/advisory-db#414
A big problem I just noticed is the advisory template needs to be updated: https://github.com/RustSec/advisory-db#advisory-format I'm wondering if we should split it out into its own file so it can be easily copied/pasted without the comment annotations. |
Until our container moves to cargo audit v0.12.0. See rustsec/advisory-db#414 (comment) Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
I have a hunch that because of this new format change we are no longer able to use Would it be possible that future updates to the database take into consideration older versions of This problem affects both Firecracker & rust-vmm projects. |
Until our container moves to cargo audit v0.12.0. See rustsec/advisory-db#414 (comment) Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Until our container moves to cargo audit v0.12.0. See rustsec/advisory-db#414 (comment) Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
@andreeaflorescu we did. There was (confirmed) advance warning that Prior to getting a hard error, this should've surfaced as at least a warning message emitted by
Is there a particular reason you can't upgrade to |
@tarcieri we will be able to update to We can have workarounds such as installing the newest Rust toolchain and only use that for running Are you planning on adding these warnings before breaking the compatibility for older versions? And if yes, what automated check would you recommend that we can implement such that we catch these warnings before they turn into errors? |
This is hopefully going to be the last major breaking change to the advisory database format of this nature. Did you not get a warning message, or was it not noticed because
You said you're using Rust 1.44.1. The MSRV for |
That'd be really nice. Also, is it not feasible for the database to also be versioned?
I am not sure here, I'll have to double check with my colleagues. In rust-vmm the test was not run for 2 weeks or so, and then it suddenly failed today.
There was some confusion related to the supported Rust version. It works indeed, thanks! |
The combination that doesn't compile is Rust 1.44.1 and
Rust 1.44.1 + |
Adds an example advisory in the V3 format (#414) and updates the schema information in README.md to reflect that.
Adds an example advisory in the V3 format (#414) and updates the schema information in README.md to reflect that.
Adds an example advisory in the V3 format (#414) and updates the schema information in README.md to reflect that.
As of #440 automatic ID assignment is fixed. The linter will also reject the legacy V2 format. The migration to the new format is complete. |
The V3 advisory format uses Markdown with TOML frontmatter. It was originally proposed in #240 and implemented (with some changes from the original proposal) in RustSec/rustsec-crate#167.
The new format allows us to see renderings of Markdown-formatted descriptions in PRs and when viewing advisories on GitHub. Barring any unforeseen circumstances, this will be the final stable advisory format, and will unlock releasing 1.0 versions of the various RustSec crates.
In #240, we suggested attempting a migration today, October 1st, 2020 (i.e beginning of Q3), which this issue is for tracking.
Example advisory:
https://raw.githubusercontent.com/RustSec/rustsec-crate/master/tests/support/example_advisory_v3.md
Rendered:
All your base are belong to us
You have no chance to survive. Make your time.
The text was updated successfully, but these errors were encountered: