cargo audit can be used to check bcachefs dependencies for
vulnerabilities published in the advisory database at
https://github.com/RustSec/advisory-db.git
Given the significant size of dependency sources (currently ~292M),
manual audit is mostly unviable, so rely on this for now.
Audit failure will halt tarball generation with e.g. v1.4.1:
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 595 security advisories (from /home/david/.cargo/advisory-db)
Updating crates.io index
Scanning rust-src/Cargo.lock for vulnerabilities (98 crate dependencies)
Crate: shlex
Version: 1.2.0
Title: Multiple issues involving quote API
Date: 2024-01-21
ID: RUSTSEC-2024-0006
URL: https://rustsec.org/advisories/RUSTSEC-2024-0006
Solution: Upgrade to >=1.3.0
Dependency tree:
shlex 1.2.0
└── bindgen 0.64.0
└── bch_bindgen 0.1.0
└── bcachefs-rust 0.3.1
Crate: atty
Version: 0.2.14
Warning: unsound
Title: Potential unaligned read
Date: 2021-07-04
ID: RUSTSEC-2021-0145
URL: https://rustsec.org/advisories/RUSTSEC-2021-0145
Dependency tree:
atty 0.2.14
└── bcachefs-rust 0.3.1
error: 1 vulnerability found!
warning: 1 allowed warning found
Signed-off-by: David Disseldorp <[email protected]>
---
make-release-tarball.sh | 2 ++
1 file changed, 2 insertions(+)
diff --git a/make-release-tarball.sh b/make-release-tarball.sh
index c468da7..51875b0 100755
--- a/make-release-tarball.sh
+++ b/make-release-tarball.sh
@@ -7,6 +7,8 @@ version=$1
git checkout v$version
git clean -xfd
+cargo audit
+
cargo license > COPYING.rust-dependencies
git ls-files|
--
2.35.3
