Any feedback on this change? Thanks, David
On Tue, 30 Jan 2024 18:03:56 +1100, David Disseldorp wrote: > cargo audit can be used to check bcachefs dependencies for > vulnerabilities published in the advisory database at > https://github.com/RustSec/advisory-db.git > > Given the significant size of dependency sources (currently ~292M), > manual audit is mostly unviable, so rely on this for now. > > Audit failure will halt tarball generation with e.g. v1.4.1: > Fetching advisory database from > `https://github.com/RustSec/advisory-db.git` > Loaded 595 security advisories (from /home/david/.cargo/advisory-db) > Updating crates.io index > Scanning rust-src/Cargo.lock for vulnerabilities (98 crate dependencies) > Crate: shlex > Version: 1.2.0 > Title: Multiple issues involving quote API > Date: 2024-01-21 > ID: RUSTSEC-2024-0006 > URL: https://rustsec.org/advisories/RUSTSEC-2024-0006 > Solution: Upgrade to >=1.3.0 > Dependency tree: > shlex 1.2.0 > └── bindgen 0.64.0 > └── bch_bindgen 0.1.0 > └── bcachefs-rust 0.3.1 > > Crate: atty > Version: 0.2.14 > Warning: unsound > Title: Potential unaligned read > Date: 2021-07-04 > ID: RUSTSEC-2021-0145 > URL: https://rustsec.org/advisories/RUSTSEC-2021-0145 > Dependency tree: > atty 0.2.14 > └── bcachefs-rust 0.3.1 > > error: 1 vulnerability found! > warning: 1 allowed warning found > > Signed-off-by: David Disseldorp <[email protected]> > --- > make-release-tarball.sh | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/make-release-tarball.sh b/make-release-tarball.sh > index c468da7..51875b0 100755 > --- a/make-release-tarball.sh > +++ b/make-release-tarball.sh > @@ -7,6 +7,8 @@ version=$1 > git checkout v$version > git clean -xfd > > +cargo audit > + > cargo license > COPYING.rust-dependencies > > git ls-files|
