From cd88031c04db514163e6b8376916fba1abde2f943ba1e64e372fb296caf73060 Mon Sep 17 00:00:00 2001 From: William Brown Date: Fri, 19 Jul 2024 02:16:52 +0000 Subject: [PATCH] - Depend on provides of rust to allow older compiler version usage - Update to version 0.6.4~0: * Release cargo-auditable v0.6.4 * Correctly attribute changelog file addition in changelog * Add changelog for auditable-extract * Verify various feature combinations in CI * Upgrade wasmparser to remove dependencies with `unsafe` * Add LoongArch support * cargo fmt * Move doc headers to README.md and point rustdoc to them, so that we have nice crates.io pages * Expand on the note about WebAssembly parsing * Populate changelogs * Resume bragging about all dependencies being safe, now that there is a caveat below * drop fuzz Cargo.lock to always fuzz against latest versions * Bump `cargo auditable` version * Mention WASM support in README * Revert "Be super duper extra sure both MinGW and MSVC are tested on CI" * Be super duper extra sure both MinGW and MSVC are tested on CI * Add wasm32 targets to CI for more platforms * Don't pass --target twice in tests * Install WASM toolchain in CI * cargo fmt * Add WASM end-to-end test * cargo fmt * Update documentation to mention the WASM feature * cargo fmt * Plumb WASM parsing feature through the whole stack * Make WASM parsing an optional, non-default feature * Add a fuzzing harness for WASM parsing OBS-URL: https://build.opensuse.org/package/show/devel:languages:rust/cargo-auditable?expand=0&rev=7 --- .gitattributes | 23 +++++ .gitignore | 1 + _service | 27 ++++++ _servicedata | 4 + cargo-auditable-0.6.2~0.obscpio | 3 + cargo-auditable-0.6.2~0.tar.zst | 3 + cargo-auditable-0.6.4~0.tar.zst | 3 + cargo-auditable.changes | 156 ++++++++++++++++++++++++++++++++ cargo-auditable.obsinfo | 4 + cargo-auditable.spec | 64 +++++++++++++ vendor.tar.zst | 3 + 11 files changed, 291 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 cargo-auditable-0.6.2~0.obscpio create mode 100644 cargo-auditable-0.6.2~0.tar.zst create mode 100644 cargo-auditable-0.6.4~0.tar.zst create mode 100644 cargo-auditable.changes create mode 100644 cargo-auditable.obsinfo create mode 100644 cargo-auditable.spec create mode 100644 vendor.tar.zst diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..fb70903 --- /dev/null +++ b/_service @@ -0,0 +1,27 @@ + + + https://github.com/rust-secure-code/cargo-auditable.git + @PARENT_TAG@~@TAG_OFFSET@ + git + v0.6.4 + v* + v(\d+\.\d+\.\d+) + \1 + enable + william.brown@suse.com + + + + *.tar + zst + + + + cargo-auditable + zst + true + + + cargo-auditable + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..70e82ae --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/rust-secure-code/cargo-auditable.git + a0ed9cb5b98a0c927fa8d78aed04065144b136e7 \ No newline at end of file diff --git a/cargo-auditable-0.6.2~0.obscpio b/cargo-auditable-0.6.2~0.obscpio new file mode 100644 index 0000000..4f73729 --- /dev/null +++ b/cargo-auditable-0.6.2~0.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b8c6b404b4841bc278f5a7712a12897a0fe3cae6187b1c46bd26be071478a496 +size 211979 diff --git a/cargo-auditable-0.6.2~0.tar.zst b/cargo-auditable-0.6.2~0.tar.zst new file mode 100644 index 0000000..bb1caf3 --- /dev/null +++ b/cargo-auditable-0.6.2~0.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:834ecaa076b10f08af899de7d07630ed0517b08296a73dcc4e030e4c47047564 +size 46049 diff --git a/cargo-auditable-0.6.4~0.tar.zst b/cargo-auditable-0.6.4~0.tar.zst new file mode 100644 index 0000000..a5d0e27 --- /dev/null +++ b/cargo-auditable-0.6.4~0.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2f6f8a3116e4d270f6a7ef52b4ae299f15fe7f2c3e00daf454974a038ff56f56 +size 55478 diff --git a/cargo-auditable.changes b/cargo-auditable.changes new file mode 100644 index 0000000..f84d1f5 --- /dev/null +++ b/cargo-auditable.changes @@ -0,0 +1,156 @@ +------------------------------------------------------------------- +Fri Jul 19 02:02:31 UTC 2024 - William Brown + +- Depend on provides of rust to allow older compiler version usage + +------------------------------------------------------------------- +Tue May 28 04:48:14 UTC 2024 - william.brown@suse.com + +- Update to version 0.6.4~0: + * Release cargo-auditable v0.6.4 + * Correctly attribute changelog file addition in changelog + * Add changelog for auditable-extract + * Verify various feature combinations in CI + * Upgrade wasmparser to remove dependencies with `unsafe` + * Add LoongArch support + * cargo fmt + * Move doc headers to README.md and point rustdoc to them, so that we have nice crates.io pages + * Expand on the note about WebAssembly parsing + * Populate changelogs + * Resume bragging about all dependencies being safe, now that there is a caveat below + * drop fuzz Cargo.lock to always fuzz against latest versions + * Bump `cargo auditable` version + * Mention WASM support in README + * Revert "Be super duper extra sure both MinGW and MSVC are tested on CI" + * Be super duper extra sure both MinGW and MSVC are tested on CI + * Add wasm32 targets to CI for more platforms + * Don't pass --target twice in tests + * Install WASM toolchain in CI + * cargo fmt + * Add WASM end-to-end test + * cargo fmt + * Update documentation to mention the WASM feature + * cargo fmt + * Plumb WASM parsing feature through the whole stack + * Make WASM parsing an optional, non-default feature + * Add a fuzzing harness for WASM parsing + * Rewritten WASM parsing to avoid heap allocations + * Initial WASM extraction support + * Nicer assertion + * Drop obsolete comment + * Clarify that embedding the compiler version has shipped. + * Fixed section name for WASM + * Unified and more robust platform detection. Fixed wasm build process + * Initial WASM support + * More robust platform detection for picking the binary format + * Fix Windows CI to run both -msvc and -gnu + * Use the correct link.exe flag for preserving the specified symbol even if it is unused + * Fix Windows + * Fix tests on Rust 1.77 + * Placate clippy + * Oopps, I meant components field + * Also remove the dependencies field if empty + * Use serde_json with order preservation feature to get a more compressible JSON after workarounds + * Work around cyclonedx-bom limitations to produce minified JSON + * Also record the dependency kind + * cyclonedx-bom: also record PURL + * Also write the dependency tree + * Clear the serial number in the minimal CycloneDX variant + * Prototype impl of auditable2cdx + * Fill in auditable2cdx dependencies + * Initial auditable2cdx boilerplace + * add #![forbid(unsafe_code)] + * Initial implementation of auditable-to-cyclonedx conversion + * Add the necessary dependencies to auditable-cyclonedx + * Initial dummy package for auditable-cyclonedx + +------------------------------------------------------------------- +Tue Mar 5 01:17:29 UTC 2024 - Soc Virnyl Estela + +- Update specfile: + * remove cargo_config file +- Update service file: + * replace obsoleted "disabled" mode with "manual" +- Update to version 0.6.2~0: + * Update the lockfile + * New releases of cargo-auditable and auditable-serde + * Use a separate project for the custom rustc path tests. Fixes intermittent test failures due to race conditions + * Revert "add commit hashes to git sources" + * Fix cyclic dependency graph being encoded + * Revert "An unsuccessful attempt to fix cycles caused by dev-dependencies" + * An unsuccessful attempt to fix cycles caused by dev-dependencies + * Fix typo + * Add comment + * Add a test for an issue with cyclic dependencies reported at https://github.com/rustsec/rustsec/issues/1043 + * Fix auditable-serde example not building + * upgrade dependency miniz_oxide to 0.6.0 + * fix formatting errors + * apply clippy lints for --all-features + * improve the internal docs and comments + * apply clippy lints + * add missing sources for one of test fixtures + * add commit hashes to git sources + * Run all tests on CI + * cargo fmt + * Run `cargo clean` in tests to get rid of stale binaries + * Fix date in changelog + * Populate changelog + * Bump auditable-info version in rust-audit-info + * Add auditable-info changelog + * Bump versions following cargo-lock bump + * auditable-serde: bump `cargo-lock` to v9 + * switch to UNRELEASED + * Update CHANGELOG.md + * Print a better error if calling rustc fails + * Drop unused import + * placate Clippy + * Don't inject audit info if --print argument is passed to rustc + * Reflect the version change in Cargo.lock + * Remove space from keywords + * bump version to 0.6.1 + * Fix date in changelog + * Update CHANGELOG.md + * Add publish=false + * Commit the generated manpage + * Add the code for generating a manpage; rather rudimentary so far, but it's a starting point + * Explain relation to supply chain attacks + * Add keywords to the Cargo manifest + * Revert "generate a man page for cargo auditable" + * fix formatting + * fix review feedback, relocate file to under OUT_DIR, don't use anyhow and also commit the lock file + * generate a man page for cargo auditable + * Add Clippy suppression + * placate clippy + * commit Cargo.lock + * Sync to latest object file writing code from rustc + * Fix examples in docs + * Allow redundant field names + * Apply clippy suggestion: match -> if let + * Check for clippy and format in CI + * Apply clippy suggestions + * Run CI with --locked + +------------------------------------------------------------------- +Thu Feb 23 14:27:09 UTC 2023 - Andrea Manzini + +- Update to version 0.6.0~0: + * README and documentation improvements + * Read the rustc path passed by Cargo; fixes #90 + * Read location of Cargo from the environment variable Cargo sets for third-party subcommands + * Add a note on sccache version compatibility to CHANGELOG.md + * Panic on compilation commands where we fail to parse the arguments instead of silently ignoring the error + * Specifying the binary-scanning feature is no longer needed + * Pass options such as --offline to `cargo metadata` + * Pass on arguments from `cargo auditable` invocation to the rustc wrapper; prep work towards fixing #83 + * Bump rust-audit-info to 0.5.2 + * Bump auditable-serde version to 0.5.2 + * Correctly fill in the source even in dependency entries when converting to cargo-lock data format + * Drop the roundtrip through &str in semver::Version; now that semver 1.0 has shipped the versions are API-compatible and this is no longer necessary + * Release auditable-info 0.6.1 + * Bump all the version requirements for things depending on auditable-info + * Fix audit_info_from_slice function signature + +------------------------------------------------------------------- +Thu Nov 3 04:31:16 UTC 2022 - William Brown + +- Initial commit diff --git a/cargo-auditable.obsinfo b/cargo-auditable.obsinfo new file mode 100644 index 0000000..ae4e3e2 --- /dev/null +++ b/cargo-auditable.obsinfo @@ -0,0 +1,4 @@ +name: cargo-auditable +version: 0.6.4~0 +mtime: 1715183073 +commit: a0ed9cb5b98a0c927fa8d78aed04065144b136e7 diff --git a/cargo-auditable.spec b/cargo-auditable.spec new file mode 100644 index 0000000..ff7dd29 --- /dev/null +++ b/cargo-auditable.spec @@ -0,0 +1,64 @@ +# +# spec file for package cargo-auditable +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define __rustflags -Clink-arg=-Wl,-z,relro,-z,now -C debuginfo=2 -C incremental=false +%define __cargo CARGO_FEATURE_VENDORED=1 RUSTFLAGS="%{__rustflags}" %{_bindir}/cargo +%define __cargo_common_opts %{?_smp_mflags} + +Name: cargo-auditable +Version: 0.6.4~0 +Release: 0 +Summary: A tool to embed auditing information in ELF sections of rust binaries +# If you know the license, put it's SPDX string here. +# Alternately, you can use cargo lock2rpmprovides to help generate this. +License: (Apache-2.0 OR MIT) AND Unicode-DFS-2016 AND (0BSD OR MIT OR Apache-2.0) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR MIT OR Zlib) AND (Apache-2.0 OR MIT OR Zlib) AND (MIT OR Unlicense) AND (Apache-2.0 OR Zlib OR MIT) AND MIT +# Select a group from this link: +# https://en.opensuse.org/openSUSE:Package_group_guidelines +Group: Development/Languages/Rust +URL: https://github.com/rust-secure-code/cargo-auditable +Source0: %{name}-%{version}.tar.zst +Source1: vendor.tar.zst +# We can't dep on cargo-packaging because we would create a dependency loop. +# BuildRequires: cargo-packaging +BuildRequires: rust+cargo +BuildRequires: zstd +Requires: rust+cargo + +%description +Know the exact crate versions used to build your Rust executable. Audit binaries for known bugs or +security vulnerabilities in production, at scale, with zero bookkeeping. This works by embedding +data about the dependency tree in JSON format into a dedicated linker section of the compiled +executable. + +%prep +%autosetup -a1 + +%build +unset LIBSSH2_SYS_USE_PKG_CONFIG +%{__cargo} build \ + %{__cargo_common_opts} \ + --offline --release + +%install +install -D -d -m 0755 %{buildroot}%{_bindir} +install -m 0755 %{_builddir}/%{name}-%{version}/target/release/cargo-auditable %{buildroot}%{_bindir}/cargo-auditable + +%files +%{_bindir}/cargo-auditable + +%changelog diff --git a/vendor.tar.zst b/vendor.tar.zst new file mode 100644 index 0000000..2ddf863 --- /dev/null +++ b/vendor.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:76dd589706de37d7fc330d29b6867ebe09169f1dca666523b3459b25041cb91c +size 10514792