From 4bd92dc341d62fd2d1c866be982850eca1a4487d Mon Sep 17 00:00:00 2001 From: Timothy DeHerrera Date: Mon, 30 Sep 2024 10:47:44 -0600 Subject: [PATCH] ci: implement security auditing checks `cargo-audit` and the RustSec Advisory DB see: https://rustsec.org/ --- .cargo/audit.toml | 11 +++++++++++ .github/workflows/audit.yml | 25 +++++++++++++++++++++++++ Cargo.lock | 23 +++++++---------------- nix/shell.nix | 1 + 4 files changed, 44 insertions(+), 16 deletions(-) create mode 100644 .cargo/audit.toml create mode 100644 .github/workflows/audit.yml diff --git a/.cargo/audit.toml b/.cargo/audit.toml new file mode 100644 index 000000000..9696d8e09 --- /dev/null +++ b/.cargo/audit.toml @@ -0,0 +1,11 @@ +[advisories] +ignore = [] +severity_threshold = "low" + +[output] +format = "json" +quiet = false + +[yanked] +enabled = true + diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml new file mode 100644 index 000000000..13d710e0f --- /dev/null +++ b/.github/workflows/audit.yml @@ -0,0 +1,25 @@ +name: "Audit Dependencies" +on: + push: + paths: + # Run if workflow changes + - '.github/workflows/audit.yml' + # Run on changed dependencies + - '**/Cargo.toml' + - '**/Cargo.lock' + # Run if the configuration file changes + - '.cargo/audit.toml' + # Rerun periodicly to pick up new advisories + schedule: + - cron: '0 0 * * *' + # Run manually + workflow_dispatch: + +jobs: + security_audit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: rustsec/audit-check@v2.0.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/Cargo.lock b/Cargo.lock index 167397477..d66ffd031 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3539,7 +3539,7 @@ dependencies = [ "httpdate", "itoa", "pin-project-lite", - "socket2 0.5.7", + "socket2 0.4.10", "tokio", "tower-service", "tracing", @@ -3632,7 +3632,7 @@ dependencies = [ "iana-time-zone-haiku", "js-sys", "wasm-bindgen", - "windows-core 0.52.0", + "windows-core", ] [[package]] @@ -5799,9 +5799,9 @@ checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381" [[package]] name = "openssl" -version = "0.10.64" +version = "0.10.66" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95a0481286a310808298130d22dd1fef0fa571e05a8f44ec801801e84b216b1f" +checksum = "9529f4786b70a3e8c61e11179af17ab6188ad8d0ded78c5529441ed39d4bd9c1" dependencies = [ "bitflags 2.6.0", "cfg-if", @@ -5840,9 +5840,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.102" +version = "0.9.103" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c597637d56fbc83893a35eb0dd04b2b8e7a50c91e64e9493e398b5df4fb45fa2" +checksum = "7f9e8deee91df40a943c71b917e5874b951d32a802526c85721ce3b776c929d6" dependencies = [ "cc", "libc", @@ -12847,7 +12847,7 @@ version = "0.51.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ca229916c5ee38c2f2bc1e9d8f04df975b4bd93f9955dc69fabb5d91270045c9" dependencies = [ - "windows-core 0.51.1", + "windows-core", "windows-targets 0.48.5", ] @@ -12860,15 +12860,6 @@ dependencies = [ "windows-targets 0.48.5", ] -[[package]] -name = "windows-core" -version = "0.52.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33ab640c8d7e35bf8ba19b884ba838ceb4fba93a4e8c65a9059d08afcfc683d9" -dependencies = [ - "windows-targets 0.52.6", -] - [[package]] name = "windows-sys" version = "0.42.0" diff --git a/nix/shell.nix b/nix/shell.nix index 8eec4d902..52992df22 100644 --- a/nix/shell.nix +++ b/nix/shell.nix @@ -32,6 +32,7 @@ gawk cargo-edit perl + cargo-audit ] ++ ( if isDarwin