Provide a way to pass options to cargo-audit

[taiki-e]

Motivation

cargo-audit has some useful options, and it would be nice to be able to use them via audit-check. For example:

• --deny-warnings: Fail if a warning exists -- warnings may be missed by reviewers until the PR has been merged and the issue submitted.
• --ignore: Ignore specified advisory -- if fix requires breaking change, the fix may be postponed as it cannot be fixed immediately (especially if that advisory is warning).

Workflow example

      - uses: actions-rs/audit-check@v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          options: --deny-warnings --ignore RUSTSEC-2020-0016

or

      - uses: actions-rs/audit-check@v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          deny-warnings: true
          ignore: [RUSTSEC-2020-0016]

[tarcieri]

I think it'd be great to have the arguments parameterized as in the second example, e.g. ignore: ["RUSTSEC-2020-0016"]

[tarcieri]

FYI, we just landed a PR to cargo-audit to autodetect a project-local .cargo/audit.toml file, which can be used to pass most configuration options and also means running it locally will match CI:

rustsec/rustsec#252

That should hopefully also address this issue.

Edit: this is now available in cargo-audit v0.13

[alan-signal]

I created an audit.toml:

[output]
deny = ["unmaintained", "unsound", "yanked"]
quiet = false

Which worked locally in promoting the warnings to errors, however I saw no difference in the audit-check task, it still passed with warnings. Is there a trick I'm missing?

[tarcieri]

You placed it in .cargo/audit.toml?

[alan-signal]

@tarcieri yes I did, and like I said it does have an effect locally.

I'm in a private repo ATM, but if this is a surprise that it's not working, I can make a MVCE repo?

[tarcieri]

Is it possible CI is caching an older version of cargo-audit?

[alan-signal]

I suppose that's possible. I'm afraid I don't understand if/when it would update but do you know how to check the version used?

Here is my MCVE repo: alan-signal/cargo-audit-action#1

[alan-signal]

@tarcieri Looking at this I can see this action runs $ cargo audit --json.

Locally, removing my .cargo/audit.toml file, it merely has this effect on the output json:

So, it would seem that the issue is that the json output does not reflect the output options and it is reported as a warning regardless:

"warnings": {
    "unmaintained": [
      {
        "kind": "unmaintained",
        "package": {
          "name": "cpuid-bool",
          "version": "0.2.0",
          "source": "registry+https://github.com/rust-lang/crates.io-index",
          "checksum": "dcb25d077389e53838a8158c8e99174c5a9d902dee4904320db714f3c653ffba",
          "replace": null
        },
        "advisory": {
          "id": "RUSTSEC-2021-0064",
          "package": "cpuid-bool",
          "title": "`cpuid-bool` has been renamed to `cpufeatures`",
          "description": "Please use the `cpufeatures`` crate going forward:\n\n<https://github.com/RustCrypto/utils/tree/master/cpufeatures>\n\nThere will be no further releases of `cpuid-bool`.",
          "date": "2021-05-06",
          "aliases": [],
          "related": [],
          "collection": "crates",
          "categories": [],
          "keywords": [],
          "cvss": null,
          "informational": "unmaintained",
          "url": "https://github.com/RustCrypto/utils/pull/381",
          "references": [],
          "yanked": false
        },
        "versions": {
          "patched": [],
          "unaffected": []
        }
      }
    ]
  }

[tarcieri]

Huh, could be a bug. Can you open an issue on https://github.com/rustsec/rustsec?

[alan-signal]

I will, thankyou!

[alan-signal]

@tarcieri rustsec/rustsec#376 thanks again!