8000 Add support for --ignore · Issue #223 · actions-rs/audit-check · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
This repository was archived by the owner on Oct 13, 2023. It is now read-only.

Add support for --ignore #223

Closed
3 tasks done
djmitche opened this issue Jun 1, 2022 · 6 comments
Closed
3 tasks done

Add support for --ignore #223

djmitche opened this issue Jun 1, 2022 · 6 comments
Labels
enhancement New feature or request

Comments

@djmitche
Copy link
djmitche commented Jun 1, 2022

Do the checklist before filing an issue:

Motivation

Sometimes addressing an advisory is not important for a repository. Maybe it's only used in test or deprecated code, or is a difficult fix and analysis of the vulnerability shows the repo isn't actually vulnerable. In those cases, cargo audit provides --ignore, but it seems this option is not available in the GitHub action.

Workflow example

jobs:
  audit:
    runs-on: ubuntu-latest
    permissions: write-all
    name: "Audit Dependencies"
    steps:
      - uses: actions/checkout@v2
      - uses: actions-rs/audit-check@v1                                                                                                                                                                                                                                                                                        
        with:
          ignore:
            - RUSTSEC-2021-0124
          token: ${{ secrets.GITHUB_TOKEN }}
@djmitche djmitche added the enhancement New feature or request label Jun 1, 2022
@djmitche djmitche mentioned this issue Jun 1, 2022
Closed
@maujim maujim mentioned this issue Jun 14, 2022
Open
@moliva
Copy link
moliva commented Jun 17, 2022

I think this PR should be of help for you #221 .

@matschaffer
Copy link
matschaffer commented Jul 19, 2022
edited
Loading

This would be helpful given the state of https://rustsec.org/advisories/RUSTSEC-2020-0071 and chronotope/chrono#602

The CVE is low risk for chrono and the problematic dependency should be removed in the next version.

@matschaffer matschaffer mentioned this issue Jul 20, 2022
Closed
@pinkforest pinkforest mentioned this issue Aug 6, 2022
Open
@matschaffer
Copy link

From @djmitche in #221 (comment)

So it turns out that .cargo/audit.toml can be used to ignore things, too -- I just had it in the wrong directory (fix in GothenburgBitFactory/taskwarrior#2903). So the fork probably isn't necessary!

So we could probably close this issue. Though explicit documentation might be more helpful than this github issue for future users.

@djmitche
Copy link
Author

Yeah, this seems to be the closest there is to documentation of audit.toml. Maybe a PR to that repo would be useful?

At any rate, this support is now added so this issue can be closed.

@matschaffer matschaffer mentioned this issue Aug 15, 2022
Closed
@matschaffer
Copy link

Nice! I opened rustsec/rustsec#650 to capture documentation that I think might help.

@matschaffer
Copy link

heh, though based on GothenburgBitFactory/taskwarrior#2903 (comment) @pinkforest might be in favor of re-opening this issue. :)

@matschaffer matschaffer mentioned this issue Aug 16, 2022
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement New feature or request
Milestone
No milestone
Development

No branches or pull requests
3 participants
@matschaffer @djmitche @moliva
0