Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(rust): Update cargo deny check and deny.toml config #344

Closed
wants to merge 8 commits into from
+4 −32
Closed

feat(rust): Update cargo deny check and deny.toml config #344

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
ff699bf
make deny.toml config file check not strict, remove flag -W vulnerabi…
Mr-Leshiy Oct 31, 2024
95b8c95
wip
Mr-Leshiy Oct 31, 2024
bb6c291
fix
Mr-Leshiy Oct 31, 2024
a6efc92
fix spelling
Mr-Leshiy Oct 31, 2024
b715a46
revert
Mr-Leshiy Oct 31, 2024
22aaa1f
wip
Mr-Leshiy Oct 31, 2024
e5b4ee7
fix spelling
Mr-Leshiy Oct 31, 2024
487e0fa
Merge branch 'master' into feat/cargo-deny-check
Mr-Leshiy Nov 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions earthly/rust/scripts/std_checks.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ def main():
results.add(
vendor_files_check.toml_diff_check("/stdcfgs/clippy.toml", "clippy.toml")
)
results.add(vendor_files_check.toml_diff_check("/stdcfgs/deny.toml", "deny.toml"))
results.add(vendor_files_check.toml_diff_check("/stdcfgs/deny.toml", "deny.toml", strict=False))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, i want strict checking of cargo-deny config. Projects should not be able to modify it to suit themselves.


# Check if the rust src is properly formatted.
res = exec_manager.cli_run("cargo +nightly fmtchk ", name="Rust Code Format Check")
Expand All @@ -104,7 +104,7 @@ def main():
results.add(exec_manager.cli_run("cargo machete", name="Unused Dependencies Check"))
# Check if we have any supply chain issues with dependencies.
results.add(
exec_manager.cli_run("cargo deny check --exclude-dev -W vulnerability", name="Supply Chain Issues Check")
exec_manager.cli_run("cargo deny check --exclude-dev", name="Supply Chain Issues Check")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the reasons for ignoreing the RUST-SEC vulnerabilites as errors remain,
A single change to the rustsec database can make our code broken and give us no viable way to resolve it.
I am not filling the cargo-deny config with tons of "We can't fix this vulnerability" exclusions. Its just wrong.
If rust let us actually have some meaningful way to fix vulnerabiliteis, that would be one thing, but its just a timebomb otherwise waiting to break CI outside of our control.

)

results.print()
Expand Down
16 changes: 1 addition & 15 deletions earthly/rust/stdcfgs/deny.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# cspell: words msvc, wasip, RUSTSEC, rustls, libssh, reqwest, tinyvec, Leay, webpki
# cspell: words msvc, wasip, rustls, libssh, reqwest, tinyvec, Leay, webpki

[graph]
# cargo-deny is really only ever intended to run on the "normal" tier-1 targets
Expand All @@ -16,11 +16,6 @@ targets = [

[advisories]
version = 2
ignore = [
{ id = "RUSTSEC-2020-0168", reason = "`mach` is used by wasmtime and we have no control over that." },
{ id = "RUSTSEC-2021-0145", reason = "we don't target windows, and don't use a custom global allocator." },
{ id = "RUSTSEC-2024-0370", reason = "`proc-macro-error` is used by crates we rely on, we can't control what they use."},
]

[bans]
multiple-versions = "warn"
Expand Down Expand Up @@ -51,15 +46,6 @@ skip-tree = [
unknown-registry = "deny"
unknown-git = "deny"

# List of URLs for allowed Git repositories
allow-git = [
"https://github.com/input-output-hk/catalyst-libs.git",
"https://github.com/input-output-hk/catalyst-pallas.git",
"https://github.com/input-output-hk/catalyst-mithril.git",
"https://github.com/bytecodealliance/wasmtime",
"https://github.com/aldanor/hdf5-rust",
]

[licenses]
version = 2
# Don't warn if a listed license isn't found
Expand Down
16 changes: 1 addition & 15 deletions examples/rust/deny.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# cspell: words msvc, wasip, RUSTSEC, rustls, libssh, reqwest, tinyvec, Leay, webpki
# cspell: words msvc, wasip, rustls, libssh, reqwest, tinyvec, Leay, webpki

[graph]
# cargo-deny is really only ever intended to run on the "normal" tier-1 targets
Expand All @@ -16,11 +16,6 @@ targets = [

[advisories]
version = 2
ignore = [
{ id = "RUSTSEC-2020-0168", reason = "`mach` is used by wasmtime and we have no control over that." },
{ id = "RUSTSEC-2021-0145", reason = "we don't target windows, and don't use a custom global allocator." },
{ id = "RUSTSEC-2024-0370", reason = "`proc-macro-error` is used by crates we rely on, we can't control what they use."},
]

[bans]
multiple-versions = "warn"
Expand Down Expand Up @@ -51,15 +46,6 @@ skip-tree = [
unknown-registry = "deny"
unknown-git = "deny"

# List of URLs for allowed Git repositories
allow-git = [
"https://github.com/input-output-hk/catalyst-libs.git",
"https://github.com/input-output-hk/catalyst-pallas.git",
"https://github.com/input-output-hk/catalyst-mithril.git",
"https://github.com/bytecodealliance/wasmtime",
"https://github.com/aldanor/hdf5-rust",
]

[licenses]
version = 2
# Don't warn if a listed license isn't found
Expand Down
Loading