Hi, I would like to work on this issue. However, I have 2 problems : I am not sure where to start. And I don't have any tests that I can work on. I tried looking up stuff in the "database" but all of them already yanked their vulnerable versions preventing me from getting them...
forgot the link for convenient to the issue => https://github.com/RustSec/cargo-audit/issues/23
@Tony Arcieri any updates on that "test advisory"? Or is there an easy way to override the source of the database?
In the meanwhile, I'm pretty sure
ncurses crate is unsafe as all get out and there are open advisories for stuff depending on it as well
There two are still not fixed/yanked
@Hanif Ariffin :point_up: you can use these ones
thank you :)
Oh wait, there are no fixed versions for these either
what is the format of the database's table?
the suggestions by the cargo-audit defaults to the latest version, which is not secure....
AFAIK, there must be a change in rustsec repo for this to be more robust i.e. says that there are no secure versions available!
I should create a test advisory, yeah...
@Hanif Ariffin I can sketch out my idea of how to implement it in cargo-audit#23
but yeah, parsing Cargo.toml files will be a part of that
this crate already parses the
Cargo.lock file and builds a dependency tree modeled with
fix command would need to walk that dependency graph from a vulnerable dependency to its edges, and then map the edges to crates in the local workspace, and then find the relevant dependency in the local crate's
[dependencies] in Cargo.toml
right now it doesn't parse
I'd probably suggest only parsing
Cargo.toml files for the
audit fix command so we can continue to work on
Cargo.lock files alone
This is strange :/ I can't keep the version low for me to test anything
it seems that all versions of ncurses have been yanked? and it goes immediately to the latest one
is it okay if i just make a dummy crate :<
sorry I am a bit slow with these stuff :(
In the meantime I have made a PR that improved error message
what does it mean for this to be this
if to fail? that there is no advisories available? https://github.com/hbina/cargo-audit/blob/5ae1d70d9ed4ffcc6c5592796ca6ff0ca283a9f4/src/presenter.rs#L100
@Tony Arcieri :point_up: any ideas about that
those are for informational advisories that show warnings
@Hanif Ariffin let me go ahead and create a test crate and test advisory...
There is now a test advisory: RUSTSEC-2019-0024: https://github.com/RustSec/advisory-db/pull/187
I am thinking that the fix should find a non API breaking versions to be considered first, yes?
btw, the way i set it up is you run it like this
cargo-audit audit --fix, since I am going to need
audit to be performed before i can perform any fix...
@Hanif Ariffin my suggestion for the heuristics would be starting with the latest version and working backwards until it finds the newest version that satisfies the given requirements
sure that sounds fine