- Depend on provides of rust to allow older compiler version usage

- Update to version 0.6.4~0: * Release cargo-auditable v0.6.4 * Correctly attribute changelog file addition in changelog * Add changelog for auditable-extract * Verify various feature combinations in CI * Upgrade wasmparser to remove dependencies with `unsafe` * Add LoongArch support * cargo fmt * Move doc headers to README.md and point rustdoc to them, so that we have nice crates.io pages * Expand on the note about WebAssembly parsing * Populate changelogs * Resume bragging about all dependencies being safe, now that there is a caveat below * drop fuzz Cargo.lock to always fuzz against latest versions * Bump `cargo auditable` version * Mention WASM support in README * Revert "Be super duper extra sure both MinGW and MSVC are tested on CI" * Be super duper extra sure both MinGW and MSVC are tested on CI * Add wasm32 targets to CI for more platforms * Don't pass --target twice in tests * Install WASM toolchain in CI * cargo fmt * Add WASM end-to-end test * cargo fmt * Update documentation to mention the WASM feature * cargo fmt * Plumb WASM parsing feature through the whole stack * Make WASM parsing an optional, non-default feature * Add a fuzzing harness for WASM parsing OBS-URL: https://build.opensuse.org/package/show/devel:languages:rust/cargo-auditable?expand=0&rev=7
2024-07-19 02:16:52 +00:00 · 2024-07-19 02:16:52 +00:00 · cd88031c04
commit cd88031c04
11 changed files with 291 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+.osc
--- a/27
+++ b/27
@ -0,0 +1,27 @@
+<services>
+  <service mode="manual" name="obs_scm">
+    <param name="url">https://github.com/rust-secure-code/cargo-auditable.git</param>
+    <param name="versionformat">@PARENT_TAG@~@TAG_OFFSET@</param>
+    <param name="scm">git</param>
+    <param name="revision">v0.6.4</param>
+    <param name="match-tag">v*</param>
+    <param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
+    <param name="versionrewrite-replacement">\1</param>
+    <param name="changesgenerate">enable</param>
+    <param name="changesauthor">william.brown@suse.com</param>
+  </service>
+  <service mode="manual" name="tar" />
+  <service mode="manual" name="recompress">
+    <param name="file">*.tar</param>
+    <param name="compression">zst</param>
+  </service>
+  <service mode="manual" name="set_version"/>
+  <service name="cargo_vendor" mode="manual">
+     <param name="srcdir">cargo-auditable</param>
+     <param name="compression">zst</param>
+     <param name="update">true</param>
+  </service>
+  <service name="cargo_audit" mode="manual">
+     <param name="srcdir">cargo-auditable</param>
+  </service>
+</services>
--- a/4
+++ b/4
@ -0,0 +1,4 @@
+<servicedata>
+<service name="tar_scm">
+                <param name="url">https://github.com/rust-secure-code/cargo-auditable.git</param>
+              <param name="changesrevision">a0ed9cb5b98a0c927fa8d78aed04065144b136e7</param></service></servicedata>
--- a/cargo-auditable-0.6.2~0.obscpio
+++ b/cargo-auditable-0.6.2~0.obscpio
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b8c6b404b4841bc278f5a7712a12897a0fe3cae6187b1c46bd26be071478a496
+size 211979
--- a/cargo-auditable-0.6.2~0.tar.zst
+++ b/cargo-auditable-0.6.2~0.tar.zst
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:834ecaa076b10f08af899de7d07630ed0517b08296a73dcc4e030e4c47047564
+size 46049
--- a/cargo-auditable-0.6.4~0.tar.zst
+++ b/cargo-auditable-0.6.4~0.tar.zst
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2f6f8a3116e4d270f6a7ef52b4ae299f15fe7f2c3e00daf454974a038ff56f56
+size 55478
--- a/cargo-auditable.changes
+++ b/cargo-auditable.changes
@ -0,0 +1,156 @@
+-------------------------------------------------------------------
+Fri Jul 19 02:02:31 UTC 2024 - William Brown <william.brown@suse.com>
+
+- Depend on provides of rust to allow older compiler version usage
+
+-------------------------------------------------------------------
+Tue May 28 04:48:14 UTC 2024 - william.brown@suse.com
+
+- Update to version 0.6.4~0:
+  * Release cargo-auditable v0.6.4
+  * Correctly attribute changelog file addition in changelog
+  * Add changelog for auditable-extract
+  * Verify various feature combinations in CI
+  * Upgrade wasmparser to remove dependencies with `unsafe`
+  * Add LoongArch support
+  * cargo fmt
+  * Move doc headers to README.md and point rustdoc to them, so that we have nice crates.io pages
+  * Expand on the note about WebAssembly parsing
+  * Populate changelogs
+  * Resume bragging about all dependencies being safe, now that there is a caveat below
+  * drop fuzz Cargo.lock to always fuzz against latest versions
+  * Bump `cargo auditable` version
+  * Mention WASM support in README
+  * Revert "Be super duper extra sure both MinGW and MSVC are tested on CI"
+  * Be super duper extra sure both MinGW and MSVC are tested on CI
+  * Add wasm32 targets to CI for more platforms
+  * Don't pass --target twice in tests
+  * Install WASM toolchain in CI
+  * cargo fmt
+  * Add WASM end-to-end test
+  * cargo fmt
+  * Update documentation to mention the WASM feature
+  * cargo fmt
+  * Plumb WASM parsing feature through the whole stack
+  * Make WASM parsing an optional, non-default feature
+  * Add a fuzzing harness for WASM parsing
+  * Rewritten WASM parsing to avoid heap allocations
+  * Initial WASM extraction support
+  * Nicer assertion
+  * Drop obsolete comment
+  * Clarify that embedding the compiler version has shipped.
+  * Fixed section name for WASM
+  * Unified and more robust platform detection. Fixed wasm build process
+  * Initial WASM support
+  * More robust platform detection for picking the binary format
+  * Fix Windows CI to run both -msvc and -gnu
+  * Use the correct link.exe flag for preserving the specified symbol even if it is unused
+  * Fix Windows
+  * Fix tests on Rust 1.77
+  * Placate clippy
+  * Oopps, I meant components field
+  * Also remove the dependencies field if empty
+  * Use serde_json with order preservation feature to get a more compressible JSON after workarounds
+  * Work around cyclonedx-bom limitations to produce minified JSON
+  * Also record the dependency kind
+  * cyclonedx-bom: also record PURL
+  * Also write the dependency tree
+  * Clear the serial number in the minimal CycloneDX variant
+  * Prototype impl of auditable2cdx
+  * Fill in auditable2cdx dependencies
+  * Initial auditable2cdx boilerplace
+  * add #![forbid(unsafe_code)]
+  * Initial implementation of auditable-to-cyclonedx conversion
+  * Add the necessary dependencies to auditable-cyclonedx
+  * Initial dummy package for auditable-cyclonedx
+
+-------------------------------------------------------------------
+Tue Mar  5 01:17:29 UTC 2024 - Soc Virnyl Estela <uncomfy+openbuildservice@uncomfyhalomacro.pl>
+
+- Update specfile:
+  * remove cargo_config file
+- Update service file:
+  * replace obsoleted "disabled" mode with "manual"
+- Update to version 0.6.2~0:
+  * Update the lockfile
+  * New releases of cargo-auditable and auditable-serde
+  * Use a separate project for the custom rustc path tests. Fixes intermittent test failures due to race conditions
+  * Revert "add commit hashes to git sources"
+  * Fix cyclic dependency graph being encoded
+  * Revert "An unsuccessful attempt to fix cycles caused by dev-dependencies"
+  * An unsuccessful attempt to fix cycles caused by dev-dependencies
+  * Fix typo
+  * Add comment
+  * Add a test for an issue with cyclic dependencies reported at https://github.com/rustsec/rustsec/issues/1043
+  * Fix auditable-serde example not building
+  * upgrade dependency miniz_oxide to 0.6.0
+  * fix formatting errors
+  * apply clippy lints for --all-features
+  * improve the internal docs and comments
+  * apply clippy lints
+  * add missing sources for one of test fixtures
+  * add commit hashes to git sources
+  * Run all tests on CI
+  * cargo fmt
+  * Run `cargo clean` in tests to get rid of stale binaries
+  * Fix date in changelog
+  * Populate changelog
+  * Bump auditable-info version in rust-audit-info
+  * Add auditable-info changelog
+  * Bump versions following cargo-lock bump
+  * auditable-serde: bump `cargo-lock` to v9
+  * switch to UNRELEASED
+  * Update CHANGELOG.md
+  * Print a better error if calling rustc fails
+  * Drop unused import
+  * placate Clippy
+  * Don't inject audit info if --print argument is passed to rustc
+  * Reflect the version change in Cargo.lock
+  * Remove space from keywords
+  * bump version to 0.6.1
+  * Fix date in changelog
+  * Update CHANGELOG.md
+  * Add publish=false
+  * Commit the generated manpage
+  * Add the code for generating a manpage; rather rudimentary so far, but it's a starting point
+  * Explain relation to supply chain attacks
+  * Add keywords to the Cargo manifest
+  * Revert "generate a man page for cargo auditable"
+  * fix formatting
+  * fix review feedback, relocate file to under OUT_DIR, don't use anyhow and also commit the lock file
+  * generate a man page for cargo auditable
+  * Add Clippy suppression
+  * placate clippy
+  * commit Cargo.lock
+  * Sync to latest object file writing code from rustc
+  * Fix examples in docs
+  * Allow redundant field names
+  * Apply clippy suggestion: match -> if let
+  * Check for clippy and format in CI
+  * Apply clippy suggestions
+  * Run CI with --locked
+
+-------------------------------------------------------------------
+Thu Feb 23 14:27:09 UTC 2023 - Andrea Manzini <andrea.manzini@suse.com>
+
+- Update to version 0.6.0~0:
+  * README and documentation improvements 
+  * Read the rustc path passed by Cargo; fixes #90
+  * Read location of Cargo from the environment variable Cargo sets for third-party subcommands
+  * Add a note on sccache version compatibility to CHANGELOG.md
+  * Panic on compilation commands where we fail to parse the arguments instead of silently ignoring the error
+  * Specifying the binary-scanning feature is no longer needed
+  * Pass options such as --offline to `cargo metadata`
+  * Pass on arguments from `cargo auditable` invocation to the rustc wrapper; prep work towards fixing #83
+  * Bump rust-audit-info to 0.5.2
+  * Bump auditable-serde version to 0.5.2
+  * Correctly fill in the source even in dependency entries when converting to cargo-lock data format
+  * Drop the roundtrip through &str in semver::Version; now that semver 1.0 has shipped the versions are API-compatible and this is no longer necessary
+  * Release auditable-info 0.6.1
+  * Bump all the version requirements for things depending on auditable-info
+  * Fix audit_info_from_slice function signature
+
+-------------------------------------------------------------------
+Thu Nov  3 04:31:16 UTC 2022 - William Brown <william.brown@suse.com>
+
+- Initial commit
--- a/cargo-auditable.obsinfo
+++ b/cargo-auditable.obsinfo
@ -0,0 +1,4 @@
+name: cargo-auditable
+version: 0.6.4~0
+mtime: 1715183073
+commit: a0ed9cb5b98a0c927fa8d78aed04065144b136e7
--- a/cargo-auditable.spec
+++ b/cargo-auditable.spec
@ -0,0 +1,64 @@
+#
+# spec file for package cargo-auditable
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%define __rustflags -Clink-arg=-Wl,-z,relro,-z,now -C debuginfo=2 -C incremental=false
+%define __cargo CARGO_FEATURE_VENDORED=1 RUSTFLAGS="%{__rustflags}" %{_bindir}/cargo
+%define __cargo_common_opts %{?_smp_mflags}
+
+Name:           cargo-auditable
+Version:        0.6.4~0
+Release:        0
+Summary:        A tool to embed auditing information in ELF sections of rust binaries
+#               If you know the license, put it's SPDX string here.
+#               Alternately, you can use cargo lock2rpmprovides to help generate this.
+License:        (Apache-2.0 OR MIT) AND Unicode-DFS-2016 AND (0BSD OR MIT OR Apache-2.0) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR MIT OR Zlib) AND (Apache-2.0 OR MIT OR Zlib) AND (MIT OR Unlicense) AND (Apache-2.0 OR Zlib OR MIT) AND MIT
+#               Select a group from this link:
+#               https://en.opensuse.org/openSUSE:Package_group_guidelines
+Group:          Development/Languages/Rust
+URL:            https://github.com/rust-secure-code/cargo-auditable
+Source0:        %{name}-%{version}.tar.zst
+Source1:        vendor.tar.zst
+# We can't dep on cargo-packaging because we would create a dependency loop.
+# BuildRequires:  cargo-packaging
+BuildRequires:  rust+cargo
+BuildRequires:  zstd
+Requires:       rust+cargo
+
+%description
+Know the exact crate versions used to build your Rust executable. Audit binaries for known bugs or
+security vulnerabilities in production, at scale, with zero bookkeeping. This works by embedding
+data about the dependency tree in JSON format into a dedicated linker section of the compiled
+executable.
+
+%prep
+%autosetup -a1
+
+%build
+unset LIBSSH2_SYS_USE_PKG_CONFIG
+%{__cargo} build \
+    %{__cargo_common_opts} \
+    --offline --release
+
+%install
+install -D -d -m 0755 %{buildroot}%{_bindir}
+install -m 0755 %{_builddir}/%{name}-%{version}/target/release/cargo-auditable %{buildroot}%{_bindir}/cargo-auditable
+
+%files
+%{_bindir}/cargo-auditable
+
+%changelog
--- a/vendor.tar.zst
+++ b/vendor.tar.zst
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:76dd589706de37d7fc330d29b6867ebe09169f1dca666523b3459b25041cb91c
+size 10514792