commit fa917fb019397f3d4570ee74ea8a450e4f569013207b2b0f867c6b1cb1984d1d Author: William Brown Date: Tue Sep 24 05:13:39 2024 +0000 - Update vendor.tar.zst: gix-path improper path resolution (bsc#1230688 CVE-2024-45405). OBS-URL: https://build.opensuse.org/package/show/devel:languages:rust/cargo-audit?expand=0&rev=41 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_constraints b/_constraints new file mode 100644 index 0000000..4cdf591 --- /dev/null +++ b/_constraints @@ -0,0 +1,9 @@ + + + + + + 25 + + + diff --git a/_service b/_service new file mode 100644 index 0000000..62a1d1f --- /dev/null +++ b/_service @@ -0,0 +1,30 @@ + + + https://github.com/RustSec/rustsec.git + @PARENT_TAG@~git@TAG_OFFSET@.%h + git + + main + cargo-audit/v* + .*v(\d+\.\d+\.\d+) + \1 + enable + william.brown@suse.com + + + + + *.tar + zst + + + rustsec + zst + false + RUSTSEC-2024-0019 + + + rustsec + Cargo.lock + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..4dc5f72 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/RustSec/rustsec.git + 972ac9329076e2e6347a8324dc95ec4cc35561a1 \ No newline at end of file diff --git a/cargo-audit.changes b/cargo-audit.changes new file mode 100644 index 0000000..c72b9f8 --- /dev/null +++ b/cargo-audit.changes @@ -0,0 +1,1288 @@ +------------------------------------------------------------------- +Tue Sep 24 00:54:04 UTC 2024 - Xiaoguang Wang + +- Update vendor.tar.zst: gix-path improper path resolution + (bsc#1230688 CVE-2024-45405). + +------------------------------------------------------------------- +Tue Sep 10 23:56:50 UTC 2024 - William Brown + +- explicitly depend on cargo to pull in latest compiler revision + +------------------------------------------------------------------- +Tue May 28 05:14:03 UTC 2024 - william.brown@suse.com + +- Update to version 0.20.0~git66.972ac93: + * build(deps): bump comrak from 0.21.0 to 0.24.1 (#1193) + * build(deps): bump softprops/action-gh-release (#1192) + * build(deps): bump atom_syndication from 0.12.2 to 0.12.3 (#1191) + * build(deps): bump rust-embed from 8.3.0 to 8.4.0 (#1190) + * build(deps): bump petgraph from 0.6.4 to 0.6.5 (#1189) + * update `gix` to v0.63 for security fixes + * Upgrade to auditable-info 0.7.2 + * build(deps): bump rust-embed from 8.2.0 to 8.3.0 + * build(deps): bump semver from 1.0.21 to 1.0.23 + * Fix typo `then` -> `them` in index.html + * Drop unused import + * Fix typos + * Use clap to properly parse --color argument + * Remove duplicated arguments from bin subcommand + * Support specifying multiple target arches and oses in cargo-audit + * Make Query's target arch & os a Vec instead of Option + * build(deps): bump tame-index from 0.11.0 to 0.11.1 + * Apply clippy suggestions + * Adjust binary type filter for WASM + * WIP WASM auditing support + * Fix warnings added in Rust 1.78 + * Regenerate Cargo.lock + * Bump rustsec version + * Drop is-terminal line from rustsec changelog; it's a cargo-audit only change + * Update changelog + * build(deps): bump chrono from 0.4.34 to 0.4.38 + * build(deps): bump time from 0.3.34 to 0.3.36 + * fix after gix update + * update gix and tame-index + * fix cargo clippy warning and error + * cargo-audit: remove is-terminal dep + * build(deps): bump regex from 1.10.3 to 1.10.4 + * Regenerate Cargo.lock + * Bump tame-index and gix versions + * chore: regenerate platform support and bump to platforms@3.4.0 + * Document to use cargo install with --locked (fixes #1152) + * Release `rustsec` 0.29.1 + * Revert rustsec-admin Cargo.toml entirely + * Bump required tame-index version in admin as well + * Upgrade to gix 0.60 to fix build + * build(deps): bump actions/cache from 4.0.0 to 4.0.1 (#1135) + * build(deps): bump auditable-serde from 0.6.0 to 0.6.1 + * build(deps): bump toml_edit from 0.22.5 to 0.22.6 + * build(deps): bump time from 0.3.32 to 0.3.34 + +------------------------------------------------------------------- +Tue May 28 04:57:40 UTC 2024 - william.brown@suse.com + +- Update to version 0.20.0~git0.6f4ca87: + * Bump version numbers + * Mention enterprise firewall issue in cargo-audit changelog too + * Fill in cargo-audit changelog + * Expand upon the rewrite description in rustsec changelog + * Fill in rustsec changelog + * Fix link + * build(deps): bump softprops/action-gh-release (#1114) + * build(deps): bump toml_edit from 0.21.1 to 0.22.5 (#1123) + * Bump askama to 0.12 + * Update yanked package + * Drop libgit2 advisory from ignore list now that we got rid of libgit2 + * build(deps): bump toml_edit from 0.19.15 to 0.21.1 + * build(deps): bump chrono from 0.4.33 to 0.4.34 + * build(deps): bump is-terminal from 0.4.11 to 0.4.12 + * Improve fixer documentation + * Move Cargo path detection out of rustsec and into cargo-audit, to make rustsec more flexible + * Remove rustsec `fix` feature and always enable the fixer, now that it doesn't pull in additional dependencies + * Fix syntax + * Apply review suggestion (style) + * Update cargo-audit/src/commands/audit/fix.rs + * Run `cargo update` in the same dir as Cargo.lock + * Revert 'fix' being a default feature + * Placate clippy + * Print a nice summary at the end + * Better wording + * Remove extraneous newline + * prettier printing + * More detailed reporting + * Set the correct(ish) exit status in dry run mode + * Keep track of unpatchable vulns and failures + * Warn about vulnerabilities without patched versions and do not attempt to upgrade those crates + * Only attempt to upgrade vulnerable versions of a given package + * Fix: run `cargo update`, not just `cargo` + * Add a note that `fix` is experimental + * Update cargo.lock in the wake of cargo-edit removal + * Drop the now-unused dependency cargo-edit + * Drop obsolete Cargo.toml locating logic that breaks in presence of workspaces + * Do not require passing manifest path + * Drop unused imports + * Adapt `cargo audit fix` to the changed rustsec fix api + * Simplify rustsec part of `cargo audit fix` + * cargo fmt + * WIP + * No need to generate lockfile explicitly now that we call `cargo update`, remove that code + * WIP conversion of cargo-audit to the new rustsec fixer API + * cargo fmt + * Do not run `cargo update` when auditing + * Better docs on fixer + * Drop lifetimes from the fixer struct; they are a pointless flex - the cost of cloning is absolutely dwarfed by the cost of calling a subprocess. + * Implement initial prototype of `cargo update`-based package upgrading + * .cargo/audit.toml: ignore RUSTSEC-2024-0013 (#1111) + * WIP + * WIP + * Accept a &Path without allocating for giggles + * Comment out soon-to-be-removed code and make lifetimes work out + * Fix pkgid function signature to accept an immutable borrow + * Bump rustsec to 0.28.6 + * Add pkgid function + * Temporarily make 'fix' feature default to ease development + * build(deps): bump is-terminal from 0.4.10 to 0.4.11 (#1105) + * Bump rustsec-admin to 0.8.9 + * Rebase + * Remove PYSEC ids + * Update sync for various changes + * HTTPS download for OSV export + * Improve output format + * Add a command to synchronize advisory data from osv.dev/GHSA + * build(deps): bump tame-index from 0.9.2 to 0.9.3 + +------------------------------------------------------------------- +Wed Feb 07 01:23:27 UTC 2024 - william.brown@suse.com + +- Update to version 0.19.0~git0.c9d1fbe: + * Bump version to 0.19.0 + * Update changelog to 0.19 + * Fill in link URLs + * Bump version + * populate changelog + * bump version + * Update changelog + * Bump gix to 0.58 + * Revert "Merge pull request #1094 from rustsec/revert-1081-gix-upgrade" + * build(deps): bump comrak from 0.18.0 to 0.21.0 (#1090) + * build(deps): bump rust-embed from 6.8.1 to 8.2.0 (#1080) + * Cargo.toml: use `resolver = "2"` (#1095) + * Update abscissa_core and clap; MSRV 1.70 (#1092) + * Revert "gix upgrade to v0.56" + * Fix "error: the borrowed expression implements the required traits" lint + * build(deps): bump actions/cache from 3.0.11 to 4.0.0 (#1088) + * thanks clippy + * upgrade `gix` to v0.56 and `tame-index` to v0.9 to match it + * Bump platforms version to 3.3.0 + * Regenerate platforms crate + * build(deps): bump url from 2.4.1 to 2.5.0 (#1071) + * Add a `source` field to `rustsec::Error`, and use it in simple cases. (#1067) + * build(deps): bump fs-err from 2.10.0 to 2.11.0 (#1069) + * Bump rustsec version + * Update changelog + * Turn link into an automatic link + * Display the chain of sources for errors in `cargo audit` + * bump cargo-lock msrv in another place too + * bump cargo-lock msrv again from 1.66 to 1.67 + * bump cargo-lock msrv from 1.65 to 1.66 + * cargo update + * Update to tame-index 0.8.x and gix 0.55.x + * build(deps): bump rustix from 0.37.21 to 0.37.27 + * fix typo html in advisory scores (#1059) + * https://github.com/rustsec/rustsec/pull/1057#pullrequestreview-1714037690 + * fix https://github.com/rustsec/rustsec/issues/503 + * bump version + * regenerate platforms crate + +------------------------------------------------------------------- +Thu Jan 4 02:03:56 UTC 2024 - William Brown + +- bsc#1218227 - update vendored dependencies for ssh terrapin attack + +------------------------------------------------------------------- +Fri Oct 27 03:17:26 UTC 2023 - william.brown@suse.com + +- Update to version 0.18.3~git0.3544515: + * Bump version + * Populate changelog + * Update the `fix` subcommand to the new API + * Fix deadlock on missing lockfile + * build(deps): bump regex from 1.9.5 to 1.10.2 + * Update rustsec changelog + * Configure `gix` with `max-performance-safe` feature + * feat: let `Severity` implement `Hash` + * Bump rustsec version to 0.28.3 + * Bump date + * Changelog for 0.28.3 + * fix typo + * fix typo + * Update rustsec/src/repository/git/repository.rs + * Expand documentation on locking + * build(deps): bump webpki from 0.22.1 to 0.22.2 + * Correctly classify only lock timeout errors as LockTimeout, not all lock-related errors + * cargo fmt + * Use Result instead of an unwrap() + * Fix DB directory locking + * Regenerate Cargo.lock + * Add comment + * Migrade rustsec-admin to tame-index 0.7 + * bump gix version in admin too + * cargo fmt + * Switch from Git-compatible locks to OS locks in database checkout + * Purge gix lock to rustsec error conversion; I am removing gix locks + * Only create LockTimeout error variant from tame-index locks + * cargo fmt + * Update docs + * regenerate Cargo.lock + * Initial conversion to tame-index 0.7.1. Compiles but untested. + * Bump admin version + * Populate changelog for admin + * Update Clippy to fix useless warnings + * admin: use `gix` max-performance-safe instead of max-performance + * configure `gix` for best performance + * Bump version to 0.18.2 + * thanks clippy + * Populate changelog for cargo-audit + * Require rustsec 0.28.2 in cargo-audit to fix RUSTSEC-2023-0064 + * change edition to 2021 + * Use tame-index which switches `rustsec-admin` to `gix`. + * Bump version to 0.28.2 + * Populate changelog + * Drop hyperlinks to gix in documentation because we don't have the necessary features enabled. Temporary hack to unblock a release with a security fix + * Fix up code to deal with API changes + * Bump tame-index, explicitly depend on `gix` to enable the necessary features + * Fix error reporting on stale lockfile + * build(deps): bump termcolor from 1.2.0 to 1.3.0 (#1009) + * build(deps): bump chrono from 0.4.30 to 0.4.31 + * build(deps): bump xml-rs from 0.8.17 to 0.8.18 + * Fix `deny = ["warnings"]` being ignored (#995) + * rustsec-admin 0.8.7 (#998) + * Additional information in advisory content (#997) + * build(deps): bump chrono from 0.4.29 to 0.4.30 + * commit Cargo.lock + * bump rustsec crate to 0.28.1 + * bump tame-index version requirement to 0.5.5, it contains the HTTP/2 change + * Populate changelog + * cargo fmt + * Do not require http2 when establishing the connection + * build(deps): bump chrono from 0.4.27 to 0.4.29 + * Appease clippy + * Do not re-lookup packages that are already cached + * build(deps): bump regex from 1.9.4 to 1.9.5 + * build(deps): bump xml-rs from 0.8.16 to 0.8.17 + * build(deps): bump actions/checkout from 3 to 4 + * review feedback: reduce boilerplate + * replace feature default, with v3 and std + * make 'cargo test --no-default-features' run without errors + * Add manual trigger mechanism to release workflow + * Drop remaining 'fix' features + * cargo-audit v0.18.1 (#981) + * Release workflow: don't enable `fix` and `vendored-openssl` features + * Bump versions + * Fill in release date in changelogs + * commit Cargo.lock + * bump rustsec requirement in admin + * Commit Cargo.lock + * bump cargo-audit version to 0.18.0-rc.1 + * Bump rustsec to 0.28.0-rc.1 + * Mention `fix` feature not being converted in changelog + * Fill in cargo-audit changelog + * build(deps): bump time from 0.3.27 to 0.3.28 + * build(deps): bump chrono from 0.4.26 to 0.4.27 + * build(deps): bump url from 2.4.0 to 2.4.1 + * build(deps): bump regex from 1.9.3 to 1.9.4 + * Exclude auto-generation scripts from the published package + * Ignore the file downloaded by the regeneration script + * Bump `platforms` version + * Add myself to authors, I've built out the whole autogeneration infrastructure + * Re-run the generation script + * Bring back the hyperlinks in README.md + * Automatically regenerate the table of known platforms in README + * Turn links into hyperlinks to stop recent rustdoc from complaining (#965) + * Bump version + * Regenerate platforms crate + * Bump MSRV in README.md + * Add another PR + * Also filter warnings by binary type in `cargo audit bin` + * fix build + * Add `affected` field to warnings in `rustsec` so that we could enable platform filtering in `cargo audit bin` + * Correctly state MSRV in changelog + * Populate changelog for the rustsec crate + * remove redundant clone as advised by clippy + * placate clippy + * placate clippy + * Cargo fmt + * Add more methods to CommitHash + * Add forgotten file + * WIP wrapper for gix::ObjectId + * cargo fmt + * Do not expose `toml` types through the public API + * Drop `toml` crate from the public API as well + * Drop unused Error conversion impl + * Add a TODO + * Slightly better doc comments + * Do not expose gix types in the Error public API + * Use a private function for converting from tame_index::Error to rustsec::Error + * don't pub use gix, we do not want it to leak into the public API + * cargo fmt + * Put import at the top to fix doc links + * Feature-gate tame_inxed import + * cargo fmt + * Fix build + * build(deps): bump time from 0.3.26 to 0.3.27 + * build(deps): bump tame-index from 0.5.3 to 0.5.4 + * cargo fmt + * Handle #[non_exhaustive] enum from tame-index + * Fix remaining discrepancies + * WIP conversion to tame-index 0.5.x and gix 0.52.x + * Fix unknown license handling (#956) + * Print the GHSA URL for GHSA advisories, take 2 + * Revert "Print the GHSA URL for GHSA advisories" + * Print the GHSA URL for GHSA advisories + * Expose License type + * Rename license variants + * Implement license + url + * Bump hermit-abi to move away from a yanked version + * Bump rustls-webpki to resolve RUSTSEC-2023-0053 + * build(deps): bump regex from 1.9.1 to 1.9.3 + * build(deps): bump toml from 0.7.5 to 0.7.6 + * build(deps): bump regex from 1.8.4 to 1.9.1 + * build(deps): bump time from 0.3.25 to 0.3.26 + * Regenerate Cargo.lock + * Use native certificates for TLS + * build(deps): bump petgraph from 0.6.3 to 0.6.4 + * build(deps): bump tame-index from 0.4.0 to 0.4.1 + * Document locking considerations + * More consistent status printing + * cargo fmt + * Warn before waiting on crates.io cache locks. Verbose but cannot be expressed via a higher-order function, and macros would make it much worse. + * Add lock timeout parameter to open() and fetch() + * Split creating a new remote index into a separate function in preparation for more complex logic around it + * Add a comment + * Drop manual map_err now that the conversion is implemented on rustsec::Error + * cargo fmt made the code more succinct for once, drop my comment complaining about verbosity + * cargo fmt + * Convert from lock error rather than from its immutable borrow + * Implement From conversions for LockTimeout error variant, since we will need to reuse it + * build(deps): bump tame-index from 0.3.1 to 0.4.0 + * Fix doc links + * More clear documentation + * Less esoteric pattern matching + * silence unused variable warnings + * Convert cargo-audit to use explicit locking + * Update docs to match code + * Drop unused import + * Create a separate error kind for lock timeouts, and expose configurable lock timeouts from the advanced fetching function only + * Fix docs + * cargo fmt + * Provide a rationale for the bulk API + * Hide index implementation details and remove the performance pitfall of calling is_yanked on individual packages + * Migrate check_for_yanked_crates() to the bulk API + * cargo fmt + * Do not short-cirquit on index update failure + * Rework bulk yank-checking code to report errors granularly instead of short-cirquiting on first error it encounters + * Transparently populate cache from `find_yanked` + * Documentation tweaks + * Even more caching for even faster CI + * Fix intra-doc links + * Explicitly document locking considerations + * Revert "Re-enable self-audit" + * Re-unify CI matrix, fulfilling a TODO + * Attempt to fix CI by explicitly generating the lockfile + * Re-enable self-audit + * Dummy commit to trigger a CI re-run + * Add rust-cache job properly now + * Revert "Add Rust-specific caching job to see if that speeds up CI" + * Dummy commit to trigger a CI re-run + * Add Rust-specific caching job to see if that speeds up CI + * Switch rustsec crate CI back to MSRV to see what happens + * Drop --release from rustsec CI, the tests execute really quickly in debug mode + * No need to reimplement CmdRunner::default() now that binary scanning is a default feature + * Drop the --release flag so that the compilation artifacts could be reused - Abscissa doesn't seem to have an option to run acceptance tests with `cargo run --release` + * Switch to Rust 1.71.0 for select jobs + * Placate both versions of rustfmt + * cargo fmt + * build(deps): bump semver from 1.0.17 to 1.0.18 + * Add a TODO + * Re-add some of the comments + * Normalize time offsets to UTC + * Justify clippy opt-out + * Undo autoformat + * Finish up transition to gix + * WIP + * build(deps): bump xml-rs from 0.8.14 to 0.8.16 + * Ignore clippy lint + * Checkpoint + * Update error message + * Use `AsyncRemoteSparseIndex::krates_blocking` + * Oops + * Make sparse index cache population parallel + * Fix remaining lints + * Make public + * Fix lint + * Allow clippy lint + * Bump CI + * Bump MSRV to 1.67.0 + * Transition from `crates-index` -> `tame-index` + * build(deps): bump atom_syndication from 0.12.1 to 0.12.2 (#921) + * Add license and attribution fields to advisories + * rustsec-admin 0.8.6 (#915) + * Case-insensitive search on website + * build(deps): bump rust-embed from 6.7.0 to 6.8.1 (#909) + * Cargo.lock: bump dependencies (#908) + * build(deps): bump toml from 0.7.3 to 0.7.5 (#904) + * build(deps): bump crates-index from 0.19.8 to 0.19.13 (#903) + * cargo-lock: MSRV 1.65 (#907) + * build(deps): bump openssl from 0.10.52 to 0.10.55 (#906) + * cargo-audit+rustsec: MSRV 1.65 (#905) + * build(deps): bump chrono from 0.4.24 to 0.4.25 (#894) + * Fix edge case in git source dependency resolution + * Update cargo-audit changelog + * Update rustsec crate changelog + * commit Cargo.lock version bump + * Bump rustsec version following the cargo-lock bump + * 🔥 Remove $ from install snippet on README (#879) + * Cargo.lock: update dependencies (#876) + * Bump `cargo-lock` to v0.9 + auditable deps (#875) + * build(deps): bump home from 0.5.4 to 0.5.5 (#874) + * build(deps): bump atom_syndication from 0.12.0 to 0.12.1 (#851) + * build(deps): bump softprops/action-gh-release (#852) + * build(deps): bump rust-embed from 6.6.0 to 6.6.1 (#849) + * build(deps): bump crates-index from 0.19.7 to 0.19.8 (#864) + * cargo-lock v9.0.0 (#870) + * Fix docs build (#871) + * Fix review comments + * Various improvements to the "cargo-lock tree" subcommand + * Fix is_default_registry for sparse index (#859) + * Remove build script for platforms, it's now unused (#856) + * build(deps): bump comrak from 0.16.0 to 0.18.0 + * Link to rustsec/audit-check (#854) + * Fix formatting to `cargo fmt` spec. + * Fix #736 - Cargo audit self advisories repeated + * build(deps): bump openssl from 0.10.47 to 0.10.48 + * build(deps): bump semver from 1.0.16 to 1.0.17 + * cargo fmt + * Wrap binfarce::Format in our own struct to make `binfarce` an optional dependency + * placate clippy + * cargo fmt + * Fix no-default-features compilation by making binfarce an unconditional dependency + * Start fixing up compilation with no default features + * Expand TODO + * Fix filtering by binary type but this makes the dependency on binfarce unconditional (for now) + * Add a FIXME explaining why it's not working + * wire up filtering by binary type + * Initial code for binary-type-based filtering; not wired up yet + +------------------------------------------------------------------- +Mon Mar 27 02:52:07 UTC 2023 - william.brown@suse.com + +- Update to version 0.17.5~git0.dc8ec71: + * Set the release date in changelog + * Bump `cargo-audit` version + * Bump `rustsec` crate requirement to 0.26.5, to mandate the version with the fixed libgit2 + * Fill in the CHANGELOG + * Do not run all tests from the default feature set twice + * cargo fmt + * Fix version reporting + * Update openssl in Cargo.lock files + * More changelog entries + * cargo fmt + * Fix type inference error + * Fill in changelog + * Bump version to 0.26.5 + * build(deps): bump regex from 1.7.1 to 1.7.2 + * build(deps): bump rust-embed from 6.4.2 to 6.6.0 + * build(deps): bump chrono from 0.4.23 to 0.4.24 + * Bump crates-index to 0.19 + * rustsec: Fix git2 via cargo-edit-9 fork + * fix(cargo-audit): set clap bin_name to cargo (#824) + * fix(cargo-audit): Better the formatting of severity output + * Add vulnerability severity to the cargo-audit report presenter + * test(cargo-audit): Ensure informational warnings are shown by default + * fix(cargo-audit): Add unsound and notice to default informational warnings + * Resolves #622 + * fix(cargo-audit): Remove latest commit signature check + * Re-enable MacOS CI with `--all-features` + * Bump `platforms` version + * Regenerate the `platforms` crate for rustc 1.69.0-nightly (8996ea93b 2023-02-09) + * build(deps): bump toml from 0.7.1 to 0.7.2 (#811) + * build(deps): bump petgraph from 0.6.2 to 0.6.3 (#810) + * Use new feature/dependency syntax (#809) + * build(deps): bump toml from 0.7.0 to 0.7.1 (#806) + * build(deps): bump toml from 0.6.0 to 0.7.0 (#805) + * admin: bump `chrono` to v0.4.23 (#803) + * build(deps): bump atom_syndication from 0.11.0 to 0.12.0 (#777) + * build(deps): bump comrak from 0.15.0 to 0.16.0 (#802) + * build(deps): bump toml from 0.5.9 to 0.6.0 (#797) + * Bump `toml` crate dependency to v0.6 (#800) + * Cargo.lock: bump dependencies (#799) + * build(deps): bump regex from 1.6.0 to 1.7.1 (#785) + * cvss: bump MSRV to 1.60 (#798) + * build(deps): bump fs-err from 2.8.1 to 2.9.0 (#744) + * build(deps): bump termcolor from 1.1.3 to 1.2.0 (#791) + * cargo-audit: refactor OS-specific CI configuration (#796) + * cargo-lock: use `Display` for `io::ErrorKind`; MSRV 1.60 (#794) + * cargo-lock: mark `SourceKind` as `#[non_exhaustive]` (#793) + * cargo-lock: support sparse registry references in Lockfiles (#780) + * release rustsec-admin 0.8.5 (#789) + * release rustsec-admin 0.8.5 (#788) + * Escape search term to prevent reflected XSS (#787) + * Add top-level severity field to OSV advisories + * cargo-lock: implement From for String (#776) + * build(deps): bump comrak from 0.14.0 to 0.15.0 (#760) + * Bump rust-embed from 6.4.2 to 6.5.0 (#766) + * Bump semver from 1.0.14 to 1.0.16 (#772) + * Bump softprops/action-gh-release (#770) + * cargo-lock v8.0.3 (#768) + * Fixed inconsistency in encoding lockfiles where there's only one registry for all packages (#767) + * Prepare rustsec-admin release 0.8.4 (#765) + * release rustsec 0.26.4 + * Make URL a hyperlink + * Add CHANGELOG.md entry + * Store crates.io index versions as strings instead of semver + * Revert "Skip invalid semver in crates.io index" + * Skip invalid semver in crates.io index + * Appease clippy + * Appease clippy + * Add publication date + +------------------------------------------------------------------- +Wed Nov 09 00:01:18 UTC 2022 - william.brown@suse.com + +- Update to version 0.17.4~git0.0b05e18: + * Set 0.17.4 date in changelog + * Bump `cargo-audit` to 0.17.4 + * Update documentation for 0.17.4; `cargo audit bin` is now officially enabled by default + * Fix homepage style on mobile (#755) + * Add comment + * Only attempt to check for yanked crates for crates coming from crates.io + * Remove an unused inport + * placate Clippy + * cargo fmt + * Fix #747 in `cargo-audit instead, and don't silence errors that occur during checking for yanked crates` + * Revert "Only check if a package is yanked if it comes from crates.io; fixes #747" This is a significant behavioral change that should only come with a semver bump + * Add tests validating yank behavior so that #747 can't regress again + * Only check if a package is yanked if it comes from crates.io; fixes #747 + * Add a test fixture depending on a yanked crate + * Consolidate CODE_OF_CONDUCT.d files into one; switch to Rust code of conduct (#751) + * Release rustsec-admit 0.8.3 + * fix links in admin/CHANGELOG.md + * bump `platforms` to 3.0.2 + * regenerate `platforms` crate + * Prepare rustsec-admin release + +------------------------------------------------------------------- +Tue Nov 01 22:30:54 UTC 2022 - william.brown@suse.com + +- Update to version 0.17.3~git0.fdb9752: + * Set release date in CHANGELOG.md + * Clarify changelog + * Depend on rustsec 0.26.3 which added the CachedIndex used in `cargo audit bin` + * bump cargo-audit to 0.17.3 + * bump rustsec to 0.26.3 + * More complete changelog for rustsec crate + * Drop obsolete comment - html_root_url no longer exists + * Add cargo-auditable to home page + +------------------------------------------------------------------- +Thu Oct 06 23:44:44 UTC 2022 - william.brown@suse.com + +- Update to version 0.17.2~git0.bccf8a5: + * Don't use --locked in release workflow to allow publishing again + * cargo-audit: Update CHANGELOG + * Fix `bin` screenshot URL in the README + * Skip dotfiles in advisory-db checkout + * Set the release date in CHANGELOG.md + * Add the `cargo audit bin` screenshot to README + * cargo fmt + * Migrate to the released version of auditable-info + +------------------------------------------------------------------- +Mon Oct 3 23:32:29 UTC 2022 - William Brown + +- Add _constraints to prevent random failures due to OBS resource + issues. + +------------------------------------------------------------------- +Wed May 25 00:48:01 UTC 2022 - william.brown@suse.com + +- Update to version 0.17.0~git0.5214457: + * cargo-audit v0.17.0 (#576) + * rustsec-admin v0.7.0 (#575) + * rustsec v0.26.0 (#574) + * rustsec: flatten `advisory::id` module; rename `IdKind` (#573) + * rustsec: flatten `warnings` module; rename `WarningKind` (#572) + * rustsec: add `doc_cfg` annotations when building on docs.rs (#571) + * cargo-audit: terminal output fixups (#570) + * cargo-lock v8.0.1 (#569) + * cargo-lock: fix dependency source extraction for V2 lockfiles (#568) + * build(deps): bump cargo-edit from 0.9.0 to 0.9.1 (#566) + +------------------------------------------------------------------- +Tue May 24 04:57:51 UTC 2022 - William Brown + +- Automatic update of vendored dependencies + +------------------------------------------------------------------- +Tue Apr 5 05:25:07 UTC 2022 - William Brown + +- Automatic update of vendored dependencies + +------------------------------------------------------------------- +Fri Mar 18 04:46:08 UTC 2022 - William Brown + +- Update to use cargo-packaging + +------------------------------------------------------------------- +Mon Mar 14 02:50:27 UTC 2022 - william.brown@suse.com + +- Update to resolve bsc#1196972 CVE-2022-24713 - Regex DOS + +------------------------------------------------------------------- +Wed Mar 02 03:46:39 UTC 2022 - wbrown@suse.de + +- Update to vendored libraries to resolve security issues + +------------------------------------------------------------------- +Fri Dec 3 01:09:15 UTC 2021 - William Brown + +- Fix incorrect license string + +------------------------------------------------------------------- +Mon Nov 15 23:19:01 UTC 2021 - wbrown@suse.de + +- Update to version 0.16.0~git0.625c965: + * cargo-audit v0.16.0 (#487) + * rustsec v0.25.1 (#486) + * platforms v2.0.0 (#485) + * platforms: make `Platform::ALL` an inherent constant (#484) + * platforms: make tier modules non-`pub` (#483) + * rustsec-admin v0.6.0 (#482) + * Update atom_syndication to 0.11 (#481) + * rustsec v0.25.0 (#480) + * Cargo.lock: bump dependencies (#479) + * rustsec: flatten API (#478) + +------------------------------------------------------------------- +Wed Oct 06 01:20:31 UTC 2021 - wbrown@suse.de + +- Update to version 0.15.2~git0.fe0b327: + * cargo-audit v0.15.2 (#435) + * rustsec v0.24.3 (#433) + * Don't label OSV feature as unstable, since OSV 1.0 has shipped + * cargo-audit+rustsec: add `vendored-libgit2` feature (#432) + * cargo-audit v0.15.1 (#430) + * Bump comrak from 0.12.0 to 0.12.1 (#428) + * Bump git2 from 0.13.21 to 0.13.22 (#427) + * Bump comrak from 0.11.0 to 0.12.0 (#426) + * silence Clippy - I want to be explicit here + +------------------------------------------------------------------- +Mon Jul 05 05:01:17 UTC 2021 - wbrown@suse.de + +- Update to version 0.15.0~git0.16c8aa4: + * cargo-audit v0.15.0 (#392) + * rustsec-admin v0.5.0 (#389) + * README.md: 🦀🛡️📦 + * rustsec v0.24.0 (#388) + * OSV export (#366) + * Bump semver from 1.0.1 to 1.0.3 + * Bump semver from 1.0.0 to 1.0.1 (#381) + * Bump git2 from 0.13.19 to 0.13.20 (#375) + * Bump crates-index from 0.16.6 to 0.16.7 (#380) + * cargo-lock v7.0.0 (#379) + * Bump to semver 1.0.0 (#378) + * rustsec-admin v0.4.3 (#374) + * list-affected-versions: Also print the crate in question + * Bump crates-index from 0.16.5 to 0.16.6 + * Fix doc comments + * Added docs + * Clean up the code and commit stuff I forgot to add to git + * Implement list-affected-versions subcommand, works fine with current DB + * Add list-affected-versions subcommand stub + * Clarify error message + * Update the crates.io index if not up to date + * Drop ureq dependency + * cargo fmt + * Better error reporting + * Initial untested attempt to get rid of crates.io API querying completely + * Comment, thanks Alex + * cargo fmt + * Fix crates.io API interaction + * Ditched crates_io_api crate, did the same thing with ureq. Gets rid of tokio and a whole lot of other deps. Fixes breakage due to the recent crates.io API breakage, and prevents similar breakage in the future + * Add new exit status for errors (#368) + * Bump git2 from 0.13.18 to 0.13.19 (#365) + * cargo-lock: add support for V3 format (#363) + * cvss v1.0.3 (#362) + * CI: gate workflow execution for PRs on changed files + * cvss: fixups + * Update CI badges + * Add some tier 3 targets + * Workspace CI configuration + * Update repo urls in Cargo.toml files + * README.md: add new toplevel one for workspace + * platforms: sync with Rust platform support documentation + * CI configuration + * Wire up Cargo workspace + * cargo-audit: prepare for merge into RustSec monorepo + * rustsec: prepare for merge into RustSec monorepo + * platforms: prepare for merge into RustSec monorepo + * cvss: prepare for merge into RustSec monorepo + * rustsec-admin: prepare for merge into RustSec monorepo + * rustsec-admin: prepare for merge into RustSec monorepo + * Web: Add pages per package (#143) + * v0.4.2 (#142) + * web: Add back an Atom feed for advisories (#140) + * Cargo.lock: bump dependencies (#136) + * Upgrade to GitHub-native Dependabot (#134) + * v0.4.1 (#135) + * Display more information on the website (#133) + * Upgrade to GitHub-native Dependabot (#344) + * Vendor OpenSSL for arm and musl builds (#343) + * Bump git2 from 0.13.17 to 0.13.18 (#314) + * Bump crates-index from 0.16.3 to 0.16.5 (#313) + * Bump comrak from 0.9.1 to 0.10.0 (#129) + * Fix typo in comments about mips64. (#36) + * Bump rustsec from 0.23.2 to 0.23.3 (#128) + * v0.23.3 (#310) + * Workaround for stale git refs (#309) + * Bump rustsec from 0.23.0 to 0.23.2 (#127) + * v0.23.2 (#308) + * Rename advisory-db `master` branch to `main` (#307) + * CI: use actions-rs/audit-check for self-audit (#306) + * Cargo.lock: bump dependencies (#305) + * v0.4.0 (#126) + * v0.3.5 (#124) + * Use rust-embed for static assets (#122) + * Add argument to change where website is outputted (#123) + * v0.23.1 (#301) + * Bump url from 2.2.0 to 2.2.1 (#98) + * Fix parsing error on windows (#295) + * Cargo.lock: bump deps (#296) + * Bump comrak from 0.9.0 to 0.9.1 (#116) + * Use a fully Rust based solution for rendering web page (#115) + * v0.3.4 (#113) + * Bump `rustsec` crate to v0.23 (#112) + * v0.23.0 (#292) + * Cargo.toml: dependency cleanups (#291) + * Add `thread-safety` category (#290) + * Rename default branch to `main` (#289) + * v1.0.1 (#15) + * Rename default branch to `main` (#14) + * Cargo.lock: bump deps (#288) + * v6.0.1 (#96) + * Rename CI workflow (#95) + * Rename default branch to `main` (#94) + * Cargo.lock: bump deps (#93) + * Bump semver-parser from 0.10.0 to 0.10.2 (#280) + * v0.3.3 (#106) + * Cargo.lock: bump dependencies (#105) + * Rename `master` branch to `main` (#104) + * CI config improvements (#103) + * assigner: fix "new year's" bug (#102) + * Bump handlebars from 3.5.1 to 3.5.2 (#101) + * Bump platforms from 1.0.3 to 1.1.0 (#279) + * v1.1.0 (#35) + * Rename default branch to `main` (#34) + * Rename GH Actions workflow to "CI" (#33) + * Update README platform list using table gen + * Add aarch64-apple-darwin, a.k.a. Apple Silicon macOS + * Bump serde from 1.0.117 to 1.0.118 (#88) + * Bump toml from 0.5.7 to 0.5.8 (#89) + * v0.3.2 (#97) + * Bump `rustsec` crate to v0.23.0-pre (#96) + * v0.23.0-pre (#272) + * Rename `repository::GitRepository` to `repository::git::Repository` (#271) + * Rename `fetch` Cargo feature to `git` (#270) + * Use `SystemTime` instead of a `git::Timestamp` type (#269) + * Add support for omitting leading `[advisory]` table (#268) + * Mark enums as non_exhaustive (#267) + * Re-add advisory `references` as a URL list (#266) + * Replace `chrono` with `humantime` (#265) + * Bump `smol_str` to v0.1.17; MSRV 1.46+ (#264) + * Use `url` crate to parse metadata URL (#263) + * Remove `markdown` feature (#262) + * Bump termcolor from 1.1.0 to 1.1.1 (#94) + * Rename `references` to `related` (#261) + * Bump once_cell from 1.5.1 to 1.5.2 (#259) + * Bump crates-index from 0.16.0 to 0.16.2 (#260) + * Bump once_cell from 1.5.0 to 1.5.1 (#92) + * Cargo.lock: bump deps (#258) + * Bump once_cell from 1.4.1 to 1.5.1 (#257) + * .github: rename CI workflow to "CI" (#256) + * Bump once_cell from 1.4.1 to 1.5.0 (#91) + * Bump serde from 1.0.116 to 1.0.117 (#86) + * Bump url from 2.1.1 to 2.2.0 (#87) + * Bump platforms from 1.0.2 to 1.0.3 (#252) + * v1.0.3 (#30) + * fix Platform::guess_current to use actual target architecture (#29) + * v0.3.1 (#89) + * Bump `rustsec` crate to v0.22.2 (#88) + * v0.22.2 (#250) + * Revert "Refactor Advisory type handling (#246)" (#249) + * Cargo.lock: bump dependencies (#248) + * Cargo.lock: bump dependencies (#87) + * v0.22.1 (#247) + * Refactor Advisory type handling (#246) + * Bump handlebars from 3.5.0 to 3.5.1 (#84) + * Bump toml from 0.5.6 to 0.5.7 (#85) + * v0.3.0 (#86) + * Bump `rustsec` crate dependency to v0.22 (#83) + * v0.22.0 (#245) + * Bump `cargo-lock` to v6; `semver` to v0.11 (#244) + * Remove more V2 advisory format vestiges (#243) + * Remove support for the V2 advisory format (#242) + * v0.3.0-pre3 (#82) + * assign-id: fix TOML front matter parsing (#81) + * v0.3.0-pre2 (#80) + * Attempt to fix `assign-id` command (#79) + * v0.22.0-pre3 (#241) + * advisory: mark the `parser` module as `pub` (#240) + * Bump thiserror from 1.0.20 to 1.0.21 (#74) + * Bump rustsec from 0.22.0-pre to 0.22.0-pre2 (#78) + * Bump thiserror from 1.0.20 to 1.0.21 (#232) + * clippy fixes (#77) + * Bump cargo-edit from 0.6.0 to 0.7.0 (#231) + * v0.22.0-pre2 (#239) + * advisory/linter: make V2 advisories fail (#238) + * Bump crates-index from 0.15.4 to 0.16.0 (#237) + * CI: ignore RUSTSEC-2020-0053 (dirs unmaintained) (#236) + * Bump toml from 0.5.6 to 0.5.7 (#233) + * Bump toml from 0.5.6 to 0.5.7 (#85) + * v0.3.0-pre (#73) + * Bump `rustsec` crate to v0.22.0-pre (#72) + * v0.22.0-pre (#230) + * advisory: laxer function path handling (#229) + * linter: fully deprecate `obsolete` in favor of `yanked` (#228) + * advisory: `markdown` feature and `Advisory::description_html` (#227) + * Refactor changes from `fetch` feature (#213) (#226) + * linter: add support for V3 advisory format (#225) + * Bump chrono from 0.4.15 to 0.4.19 (#224) + * cargo fmt + * Linter: correctly handle crates with dashes in names + * v6.0.0 (#84) + * Bump semver from 0.10.0 to 0.11.0 (#83) + * Bump handlebars from 3.3.0 to 3.5.0 (#69) + * Bump `cargo-lock` to v5.0; semver to v0.10; MSRV 1.41+ (#217) + * v5.0.0 (#82) + * rustdoc fixups (#81) + * README.md: switch chat badge to Zulip (#80) + * 5.0.0-rc (#79) + * Add `docsrs` cfg (#78) + * Support for listing a single dependency (#77) + * Implement/extract Cargo-compatible serializer (#76) + * Add `--dependencies` and `--sources` flags to `cargo lock list` (#75) + * Implement `cargo lock tree` without arguments (#74) + * Add `dependency::Tree::roots()` method (#73) + * bin: make `list` the default command (#72) + * Have `cargo lock` command print dependency list (#71) + * Make `cli` feature non-default (#70) + * WASM support; MSRV 1.41+ (#69) + * Bump gumdrop from 0.7.0 to 0.8.0 (#55) + * Bump serde from 1.0.110 to 1.0.116 (#67) + * Bump crates-index from 0.15.3 to 0.15.4 (#215) + * Bump crates-index from 0.15.2 to 0.15.3 (#214) + * Define "fetch" feature (#213) + * Bump `platforms` crate to v1; MSRV 1.40+ (#210) + * v1.0.2 (#28) + * Remove `const fn` on `Platforms::all`; MSRV 1.40+ (#27) + * .github: add 'override: true' directives; MSRV 1.46+ (#26) + * v1.0.1 (#25) + * Make `Platform::all()` a `const fn` (#24) + * Refactor `Platform::find` and `::guess_current` (#23) + * Rename `ALL_PLATFORMS` to `Platform::all()` (#22) + * v1.0.0 (#21) + * Update LICENSE-MIT + * Ensure all types have FromStr, Display, and serde impls + * Documentation fixups + * 2018 edition updates + * Make extensible enums `non_exhaustive`; MSRV 1.40+ + * Update deps; whitelist RUSTSEC-2020-0036 (#208) + * Bump git2 from 0.13.8 to 0.13.10 (#207) + * Bump git2 from 0.13.6 to 0.13.8 (#201) + * Bump chrono from 0.4.11 to 0.4.13 (#200) + * Bump crates-index from 0.15.0 to 0.15.1 (#202) + * Fix test + * Add aarch64-pc-windows-msvc + * Bump handlebars from 3.2.1 to 3.3.0 (#60) + * v0.2.1 (#63) + * Added an output mode for use with the production github action (#62) + * v0.2.0 (#57) + * Consistent `assign-id` module naming and comments (#56) + * linter: refactor into `Linter` struct; check all files (#55) + * Cargo.lock: update dependencies (#54) + * Have `assignid` command use new `Date::year` method (#53) + * Bump `rustsec` crate from 0.20.1 to 0.21 (#52) + * v0.21.0 (#198) + * Remove legacy `patched_versions` and `unaffected_versions` (#197) + * Bump crates-index from 0.14.3 to 0.15.0 (#183) + * Rename `obsolete` advisories to `yanked` (#196) + * Make `warning::Kind` a #[non_exhausive] enum; rename `Kind::Notice` (#195) + * Make `Informational` a #[non_exhausive] enum. (#194) + * Cargo.lock: update dependencies (#193) + * CHANGELOG.md: reformat for keepachangelog.com (#192) + * Add `year`, `month`, and `day` methods to `advisory::Date` (#191) + * add 'unsound' informational advisory kind (#189) + * Resolves #30 + * v0.20.1 (#186) + * Add `advisory::Id::numerical_part()` (#185) + * Refer to Cargo.lock in help for translate (#62) + * Bump handlebars from 3.0.1 to 3.1.0 + * Bump serde from 1.0.104 to 1.0.110 + * Bump petgraph from 0.5.0 to 0.5.1 + * Bump semver from 0.9.0 to 0.10.0 + * Fix clippy errors + * Cargo.lock: update dependencies + * .github: ignore RUSTSEC-2020-0016 + * Bump rustsec from 0.19.0 to 0.20.0 + * v0.20.0 + * Make `WarningInfo` into a simple type alias + * Bump thiserror from 1.0.10 to 1.0.16 + * Bump rustsec from 0.18.0 to 0.19.0 + * v0.19.0 + * Refactor package scopes (fixes #153) + * V3 Advisory Format + * Bump thiserror from 1.0.15 to 1.0.16 + * Bump git2 from 0.13.4 to 0.13.5 + * Bump MSRV to 1.40 + * Bump dependencies to link libgit2 dynamically + * Cargo.lock: update dependencies + * address PR comments + * addres PR comments + * clippy fix + * add WarningInfo. modify Warning struct + * Cargo.lock: update dependencies + * Cargo.lock: update dependencies + * lib.rs: fix incorrect flag in documentation + * Drop support for the V1 advisory format + * Update dependencies + * Cargo.lock: Update dependencies + * Bump rustsec from 0.17.1 to 0.18.0 + * v0.18.0 + * Move yanked crate auditing to `cargo-audit` + * Bump abscissa_core from 0.5.1 to 0.5.2 + * security_audit.yml: Fix branch name + * Bump thiserror from 1.0.9 to 1.0.10 + * Bump thiserror from 1.0.9 to 1.0.10 + * Bump handlebars from 3.0.0 to 3.0.1 + * Bump handlebars from 2.0.4 to 3.0.0 + * Bump rustsec from 0.17.0 to 0.17.1 + * v0.17.1 + * Update `cargo-lock` requirement from 3.0 to 4.0 + * Cargo.lock: Update to V2 lockfile format + * README.md: Document CLI `list` and `tree` subcommands + * v4.0.1 + * cli: fix executable name + * v4.0.0 + * cli: `list` subcommand + * cli: `tree` subcommand + * .github: add security audit + * Initial CLI with `translate` subcommand + * Add From<[u8; 32]> impl for Checksum + * Add helper methods for working with checksum metadata + * Minor documentation improvements + * Use minified version of Cargo's SourceId type + * Bump handlebars from 2.0.2 to 2.0.4 + * Bump abscissa_core from 0.5.0 to 0.5.1 + * Bump serde from 1.0.101 to 1.0.104 + * [Security] Bump http from 0.1.18 to 0.1.21 + * Overhaul encoding: use serde_derive, proper V1/V2 support + * Bump termcolor from 1.0.5 to 1.1.0 + * (Re-)Add Serialize impl for Lockfile (fixes #32) + * Add support Cargo.lock `patch` and `root` (fixes #30) + * Detect V1 vs V2 Cargo.lock files (fixes #26) + * Update petgraph requirement from 0.4 to 0.5 + * Add `package::Checksum` + * Bump once_cell from 1.2.0 to 1.3.1 + * Bump rustsec from 0.16.0 to 0.17.0 + * Cargo.lock: check in; add `actions-rs` caching + * v0.17.0 + * Upgrade `cargo-edit` to v0.5.0 release; MSRV 1.39+ + * Bump once_cell from 1.2.0 to 1.3.0 + * Bump toml from 0.5.5 to 0.5.6 + * Have `Fixer` take a reference to `Vulnerability` + * Extract `cargo audit fix` logic into `Fixer` + * Warn for yanked crates + * add badge from deps.rs + * upgrade dependencies + * Upgrade to Abscissa v0.5 + * Add vendored-openssl feature + * refactored package_scope's source attribute to vector of sources + * switched from lazy_static to once_cell for database tests + * fixed formatting + * made advisory db in database test static mutex + * fixed tests for vulnerability querying and changed PackageScope to struct + * added tests for package scope consideration in vulnerability querying + * added package scope for querying vulnerabilities + * try to fix #127 + * Bump MSRV to 1.36 + * Try to auto-detect proxy setting + * v0.16.0 + * Remove `support.toml` parsing + * v0.15.2 + * version: Fix matching bug for `>` version requirements + * v0.1.1 + * Upgrade to `rustsec` crate v0.15.1 + * v0.15.1 + * actions: Run cargo-audit, test MSRV, test on Windows + * .github: Use actions-rs GitHub Actions config + * .github: Use actions-rs GitHub Actions config + * .github: Use actions-rs GitHub Actions config + * .github: Use actions-rs GitHub Actions config + * .github: Use actions-rs GitHub Actions config + * linter: Add "informational" as an allowable [advisory] key + * repository: Expose `authentication` module + * v0.15.0 + * Upgrade to `cargo-lock` crate v3 + * v3.0.0 + * Support [[dependencies]] without versions + * v0.14.1 + * lib.rs: Remove botched `petgraph` re-export + * Upgrade to cargo-lock v2.0 + * v2.0.0 + * Use two-pass dependency tree computation + * v2.0.0-pre + * Remove `Lockfile::root_package()` + * Cargo.toml: Fix links + * Cargo.toml: Fix `repository` link + * cli: Move to new repository + * v0.1.0 + * linter: Rename command to `lint`; use Abscissa statuses + * README.md: Header quoting fixup + * v0.2.1 + * .github/workflows/rust.yml: Initial GitHub Actions config + * Import implementation from the `rustsec` crate repo + * .github/workflows/rust.yml: Initial GitHub actions config + * v0.14.0 + * Initial commit + * warning: Extract into module; make more like `Vulnerability` + * Upgrade to `cvss` crate v1.0 + * v1.0.0 + * .github/workflows/rust.yml: Migrate to GitHub Actions + * .github/workflows/rust.yml: Update template + * Upgrade to `cargo-lock` crate v1.0 + * v1.0.0 + * dependency/tree: Render trees to an io::Write + * v1.0.0-pre + * metadata: Generalize into `Key` and `Value` types + * .github/workflows/rust.yml: Trigger on [push] + * .github/workflows/rust.yml: Initial Actions config + * Refactor dependency handling + * cli: Add `rustsec web` subcommand + * cli: Add `rustsec check` subcommand + * cli: Initial application boilerplate + * v0.13.0 + * Finish GitHub Actions migration + * rust.yml: Initial GitHub actions config + * v0.13.0-alpha4 + * linter: Ensure advisory date's year matches year in advisory ID + * v0.13.0-alpha3 + * v0.2.1 + * Allow empty `[metadata]` in Cargo.lock files + * Use the `cargo-lock` crate + * v0.2.0 + * dependency_graph: Move petgraph types into a module + * Fix links and add badges + * v0.1.0 + * Index DependencyGraph by package::Release + * Import `DependencyGraph` from the `rustsec` crate + * Import implementation from the `rustsec` crate + * .travis.yml: Initial Travis CI config + * Initial commit + * v0.13.0-alpha2 + * lockfile: Add (optional) DependencyGraph analysis + * v0.13.0-alpha1 + * Fix unaffected versions + * Restructure Vulnerability + * Rename 'db' module to 'database' + * report: Generate warnings for selected informational advisories + * vulnerability: Add affected_functions() + * Add advisory::Linter + * package: Parse dependencies from Cargo.lock + * Initial `report` module and built-in report-generating + * v0.3.0 + * Support for re-serializing CVSS v3.0 values + * CVSS v3.0 parsing support + * severity: Add `FromStr` and `serde` support + * Use index allocation for storing advisories + * Basic query support + * Index the `rust` advisory directory from RustSec/advisory-db + * Add first-class support for GitHub Security Advisories (GHSA) + * Re-vendor Cargo's git authentication code + * Further broaden categories + * support.toml for indicating supported versions + * Add support for "informational" advisories (closes #134) + * Add `advisory::Category` (closes RustSec/advisory-db#69) + * Refactor advisory types: add [affected] and [versions] sections + * advisory: Add (optional) `cvss` field with CVSS v3.1 score + * v0.2.0 + * Add `Base::exploitability` and `impact` methods; docs + * serde support + * Freshen deps: add `home`, remove `directories` and `failure` + * Cargo.toml/README.md: Fix broken/missing links + * v0.1.0 + * .travis.yml: Initial configuration + * Initial commit + * Improve lints and deny policy + * Improved handling of prereleases; MSRV 1.35+ + * Add `Version` and `VersionReq` newtypes + * v0.12.1 + * Use new inclusive range syntax + * v0.12.0 + * Update dependencies and use 2018 import conventions; Rust 1.32+ + * Properly set up target::os::TARGET_OS const for unknown OS + * Re-export all types in advisory::paths::* + * v0.11.0 + * Cargo.toml: Update 'platforms' crate to v0.2 + * v0.2.0 + * Update platforms to match RustForge + * Redo 'affected_functions' as 'affected_paths' + * Update to Rust 2018 edition + * v0.10.0 + * CHANGES.md: Redo formatting + * Implement "affected_functions" advisory attribute + * AdvisoryDatabase::advisories_for_crate: Handle unaffected_versions + * Update to Rust 2018 edition + * v0.9.3 + * Create parents of the advisory DB repo dir + * v0.9.2 + * Handle cloning advisory DB into existing, empty dir + * Gate `no_dupes_test` under "std" + * Test all possible feature combinations + * Fix no_std support when using "serde" feature + * README.md: Move "Documentation" link up + * README.md: Use backticks instead of "scare quotes" + * use home_dir() instead of environment variable HOME + * use ~/.cargo if CARGO_HOME is unset + * Derives Deserialize for Vulnerabilities and Vulnerability + * Derive Serialize for Packages, Vulnerabilities, and Vulnerability + * v0.9.1 + * Use Cargo's git authentication helper + * v0.1.4 + * x86_64-apple-darwin: fix typo in target triple name + * Have markdown-table-gen output links to Platform structs on docs.rs + * v0.1.3 + * Cargo.toml: Fix Travis CI badge + * v0.1.2 + * markdown-table-gen: Markdown-formatted platform table generator + * v0.1.1 + * impl {Display, Error} for packages::Error + * v0.9.0 + * rustsec-client -> rustsec-crate + * Use "platforms" crate for platform-related functionality + * v0.1.0 + * Remove duplicate target::OS::from_str() method + * Add `guess_current()` + * Optional serde support + * v0.0.1 + * Initial commit + * PlatformReq documentation improvements + * v0.8.0 + * CHANGES.md: Fix links + * Advisory platform requirements + * advisory/keyword.rs: Cargo-like keyword support + * v0.7.5 + * Allow AdvisoryId::new() to parse "RUSTSEC-0000-0000" + * v0.7.4 + * Add link to logo image for docs.rs + * v0.7.3 + * Fix builds with --no-default-features + * repository/commit.rs: Comment fixup + * README.md: Tighten up title + * v0.7.2 + * README.md: Badge fixups, add gitter badge + * v0.7.1 + * Cargo.toml: Formatting fixups, add "readme" attribute + * v0.7.0 + * v0.7.0-alpha3 + * Refactor advisory iterator + * v0.7.0-alpha2 + * Validate dates are well-formed + * Add AdvisoryIdKind and limited support for parsing advisory IDs + * Add a "Vulnerabilities" collection struct + * src/repository: Refactor into multiple modules + * v0.7.0-alpha1 + * Support converting advisory::Date into chrono::Date + * Parse git signatures as Strings + * Parse aliases, references, and unaffected versions + * Parse (but do not yet verify) signatures on advisory-db commits + * Parse individual advisory .toml files rather than Advisories.toml + * Switch to git2-based fetcher for advisory-db + * advisory.rs: Move AdvisoryId definition below Advisory + * Use serde to parse advisories TOML and Cargo.lock files + * Use 'failure' crate for error handling + * Cargo.toml: Update dependencies + * Adopt the Contributor Covenant (version 1.4) + * Factor integration tests into the tests/ directory + * .travis.yml: Allow failures on OS X and enable fast finish + * Fix clippy 0.0.212 nits + * Run rustfmt 0.8.2-nightly (5e599251 2018-07-02) + * Remove redundant documentation link + * Bump version to 0.6.0 and update CHANGES.md + * Use semver::Version for lockfile::Package versions + * Move AdvisoryDatabase under the ::db module + * Lockfile support + * Bump version to 0.5.2 and update CHANGES.md + * Add AdvisoryDatabase::fetch_from_url() + * Bump version to 0.5.1 and update CHANGES.md + * Make "advisory" and "error" modules public + * Bump version to 0.5.0 and update CHANGES.md + * Use str version param for AdvisoryDatabase::find_vulns_for_crate() + * Bump version to 0.4.0 and update CHANGES.md + * Add AdvisoryDatabase::find_vulns_for_crate() + * Bump version to 0.3.0 and update CHANGES.md + * Rename `crate_name` back to `package` + * Bump version to 0.2.0 and update CHANGES.md + * Rename `package` TOML attribute to `crate_name` + * Add iterator support to AdvisoryDatabase + * Add docs badge to README.md + * Spell out crate name explicitly + * Add About section to README + * Bump version to 0.1.0 and update CHANGES.md + * Add AdvisoryDatabase struct + * Fix more README links + * Fix link in README + * Initial implementation + * Add LICENSEs and other README improvements + * Initial commit + +------------------------------------------------------------------- +Mon Jul 05 04:53:39 UTC 2021 - wbrown@suse.de + +- Update to version 0.14.1~git0.e46dce8: + * v0.14.1 (#342) + * Cargo.lock: update several dependencies (#341) + * Generate release builds with github actions (#337) + * Cargo.lock: bump various dependencies (#335) + * Bump rustsec from 0.23.2 to 0.23.3 (#333) + * v0.14.0 (#330) + * Cargo.lock: bump `rustsec` to v0.23.2 (#329) + * README.md: fix "Report Vulnerability" button (#328) + * Rename 'master' branch to 'main' + * Bump `rustsec` dependency to v0.23; MSRV 1.46+ (#327) + +------------------------------------------------------------------- +Wed Jun 02 06:01:51 UTC 2021 - wbrown@suse.de + +- Update _service to use upstream monorepo and cargo-audit +- Update to version 0.14.1~git0.e46dce8: + * v0.14.1 (#342) + * Cargo.lock: update several dependencies (#341) + * Generate release builds with github actions (#337) + * Cargo.lock: bump various dependencies (#335) + * Bump rustsec from 0.23.2 to 0.23.3 (#333) + * v0.14.0 (#330) + * Cargo.lock: bump `rustsec` to v0.23.2 (#329) + * README.md: fix "Report Vulnerability" button (#328) + * Rename 'master' branch to 'main' + * Bump `rustsec` dependency to v0.23; MSRV 1.46+ (#327) + +------------------------------------------------------------------- +Wed Mar 17 00:41:16 UTC 2021 - wbrown@suse.de + +- Update to version 0.14.0~git0.08c9f3e: + * v0.14.0 (#330) + * Cargo.lock: bump `rustsec` to v0.23.2 (#329) + * README.md: fix "Report Vulnerability" button (#328) + * Rename 'master' branch to 'main' + * Bump `rustsec` dependency to v0.23; MSRV 1.46+ (#327) + * Enable informational warnings with deny (#320) + * When running in no-fetch mode, allow accessing a non-git repo. (#315) + * Update README.md (#298) + * Cargo.lock: bump deps (#283) + * Bump once_cell from 1.4.1 to 1.5.0 (#282) + +------------------------------------------------------------------- +Tue Mar 02 23:41:56 UTC 2021 - wbrown@suse.de + +- Update to version 0.13.1~git5.7797fd5: + * When running in no-fetch mode, allow accessing a non-git repo. (#315) + * Update README.md (#298) + * Cargo.lock: bump deps (#283) + * Bump once_cell from 1.4.1 to 1.5.0 (#282) + * CHANGELOG.md: add note about #206 as part of the v0.13.0 release + +------------------------------------------------------------------- +Tue Feb 23 03:11:36 UTC 2021 - William Brown + +- Initial submission of v0.13.1 diff --git a/cargo-audit.spec b/cargo-audit.spec new file mode 100644 index 0000000..efc764d --- /dev/null +++ b/cargo-audit.spec @@ -0,0 +1,58 @@ +# +# spec file for package cargo-audit +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%global rustflags -Clink-arg=-Wl,-z,relro,-z,now -C debuginfo=2 +%global workspace_name rustsec + +Name: cargo-audit +Version: 0.20.0~git66.972ac93 +Release: 0 +Summary: Audit rust sources for known security vulnerabilities +License: ( 0BSD OR MIT OR Apache-2.0 ) AND ( Apache-2.0 OR BSL-1.0 ) AND ( Apache-2.0 OR MIT ) AND ( MIT OR Zlib OR Apache-2.0 ) AND ( Unlicense OR MIT ) AND ( Zlib OR Apache-2.0 OR MIT ) AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND CC0-1.0 AND MIT AND MPL-2.0 AND MPL-2.0+ +Group: Development/Languages/Rust +URL: https://github.com/RustSec/cargo-audit +Source0: %{workspace_name}-%{version}.tar.zst +Source1: vendor.tar.zst +Source2: cargo_config + +BuildRequires: cargo +BuildRequires: cargo-packaging +BuildRequires: pkgconfig(openssl) +ExclusiveArch: %{rust_tier1_arches} + +%description +Audit Cargo.lock files for crates with security vulnerabilities reported to the RustSec Advisory Database. + +%prep +%setup -q -n %{workspace_name}-%{version} +%setup -qa1 -n %{workspace_name}-%{version} +mkdir -p .cargo +cp %{SOURCE2} .cargo/config + +%build +%{cargo_build} + +%install +install -D -d -m 0755 %{buildroot}%{_bindir} + +install -m 0755 %{_builddir}/%{workspace_name}-%{version}/target/release/cargo-audit %{buildroot}%{_bindir}/cargo-audit + +%files +%{_bindir}/cargo-audit + +%changelog diff --git a/cargo_config b/cargo_config new file mode 100644 index 0000000..97852b5 --- /dev/null +++ b/cargo_config @@ -0,0 +1,5 @@ +[source.crates-io] +replace-with = "vendored-sources" + +[source.vendored-sources] +directory = "vendor" diff --git a/rustsec-0.20.0~git66.972ac93.tar.zst b/rustsec-0.20.0~git66.972ac93.tar.zst new file mode 100644 index 0000000..5e45cc7 --- /dev/null +++ b/rustsec-0.20.0~git66.972ac93.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b2aa891ed289a8b0ec3165b52722186d5898a5316e022a8da22476b0cf2d2c76 +size 656733 diff --git a/vendor.tar.zst b/vendor.tar.zst new file mode 100644 index 0000000..33ec43b --- /dev/null +++ b/vendor.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a918976508ec0af1a59b91c4d0dbf6b11c8ca255d7c73bcca674926b344ab638 +size 32308276