------------------------------------------------------------------- Thu Jan 4 02:03:56 UTC 2024 - William Brown - bsc#1218227 - update vendored dependencies for ssh terrapin attack ------------------------------------------------------------------- Fri Oct 27 03:17:26 UTC 2023 - william.brown@suse.com - Update to version 0.18.3~git0.3544515: * Bump version * Populate changelog * Update the `fix` subcommand to the new API * Fix deadlock on missing lockfile * build(deps): bump regex from 1.9.5 to 1.10.2 * Update rustsec changelog * Configure `gix` with `max-performance-safe` feature * feat: let `Severity` implement `Hash` * Bump rustsec version to 0.28.3 * Bump date * Changelog for 0.28.3 * fix typo * fix typo * Update rustsec/src/repository/git/repository.rs * Expand documentation on locking * build(deps): bump webpki from 0.22.1 to 0.22.2 * Correctly classify only lock timeout errors as LockTimeout, not all lock-related errors * cargo fmt * Use Result instead of an unwrap() * Fix DB directory locking * Regenerate Cargo.lock * Add comment * Migrade rustsec-admin to tame-index 0.7 * bump gix version in admin too * cargo fmt * Switch from Git-compatible locks to OS locks in database checkout * Purge gix lock to rustsec error conversion; I am removing gix locks * Only create LockTimeout error variant from tame-index locks * cargo fmt * Update docs * regenerate Cargo.lock * Initial conversion to tame-index 0.7.1. Compiles but untested. * Bump admin version * Populate changelog for admin * Update Clippy to fix useless warnings * admin: use `gix` max-performance-safe instead of max-performance * configure `gix` for best performance * Bump version to 0.18.2 * thanks clippy * Populate changelog for cargo-audit * Require rustsec 0.28.2 in cargo-audit to fix RUSTSEC-2023-0064 * change edition to 2021 * Use tame-index which switches `rustsec-admin` to `gix`. * Bump version to 0.28.2 * Populate changelog * Drop hyperlinks to gix in documentation because we don't have the necessary features enabled. Temporary hack to unblock a release with a security fix * Fix up code to deal with API changes * Bump tame-index, explicitly depend on `gix` to enable the necessary features * Fix error reporting on stale lockfile * build(deps): bump termcolor from 1.2.0 to 1.3.0 (#1009) * build(deps): bump chrono from 0.4.30 to 0.4.31 * build(deps): bump xml-rs from 0.8.17 to 0.8.18 * Fix `deny = ["warnings"]` being ignored (#995) * rustsec-admin 0.8.7 (#998) * Additional information in advisory content (#997) * build(deps): bump chrono from 0.4.29 to 0.4.30 * commit Cargo.lock * bump rustsec crate to 0.28.1 * bump tame-index version requirement to 0.5.5, it contains the HTTP/2 change * Populate changelog * cargo fmt * Do not require http2 when establishing the connection * build(deps): bump chrono from 0.4.27 to 0.4.29 * Appease clippy * Do not re-lookup packages that are already cached * build(deps): bump regex from 1.9.4 to 1.9.5 * build(deps): bump xml-rs from 0.8.16 to 0.8.17 * build(deps): bump actions/checkout from 3 to 4 * review feedback: reduce boilerplate * replace feature default, with v3 and std * make 'cargo test --no-default-features' run without errors * Add manual trigger mechanism to release workflow * Drop remaining 'fix' features * cargo-audit v0.18.1 (#981) * Release workflow: don't enable `fix` and `vendored-openssl` features * Bump versions * Fill in release date in changelogs * commit Cargo.lock * bump rustsec requirement in admin * Commit Cargo.lock * bump cargo-audit version to 0.18.0-rc.1 * Bump rustsec to 0.28.0-rc.1 * Mention `fix` feature not being converted in changelog * Fill in cargo-audit changelog * build(deps): bump time from 0.3.27 to 0.3.28 * build(deps): bump chrono from 0.4.26 to 0.4.27 * build(deps): bump url from 2.4.0 to 2.4.1 * build(deps): bump regex from 1.9.3 to 1.9.4 * Exclude auto-generation scripts from the published package * Ignore the file downloaded by the regeneration script * Bump `platforms` version * Add myself to authors, I've built out the whole autogeneration infrastructure * Re-run the generation script * Bring back the hyperlinks in README.md * Automatically regenerate the table of known platforms in README * Turn links into hyperlinks to stop recent rustdoc from complaining (#965) * Bump version * Regenerate platforms crate * Bump MSRV in README.md * Add another PR * Also filter warnings by binary type in `cargo audit bin` * fix build * Add `affected` field to warnings in `rustsec` so that we could enable platform filtering in `cargo audit bin` * Correctly state MSRV in changelog * Populate changelog for the rustsec crate * remove redundant clone as advised by clippy * placate clippy * placate clippy * Cargo fmt * Add more methods to CommitHash * Add forgotten file * WIP wrapper for gix::ObjectId * cargo fmt * Do not expose `toml` types through the public API * Drop `toml` crate from the public API as well * Drop unused Error conversion impl * Add a TODO * Slightly better doc comments * Do not expose gix types in the Error public API * Use a private function for converting from tame_index::Error to rustsec::Error * don't pub use gix, we do not want it to leak into the public API * cargo fmt * Put import at the top to fix doc links * Feature-gate tame_inxed import * cargo fmt * Fix build * build(deps): bump time from 0.3.26 to 0.3.27 * build(deps): bump tame-index from 0.5.3 to 0.5.4 * cargo fmt * Handle #[non_exhaustive] enum from tame-index * Fix remaining discrepancies * WIP conversion to tame-index 0.5.x and gix 0.52.x * Fix unknown license handling (#956) * Print the GHSA URL for GHSA advisories, take 2 * Revert "Print the GHSA URL for GHSA advisories" * Print the GHSA URL for GHSA advisories * Expose License type * Rename license variants * Implement license + url * Bump hermit-abi to move away from a yanked version * Bump rustls-webpki to resolve RUSTSEC-2023-0053 * build(deps): bump regex from 1.9.1 to 1.9.3 * build(deps): bump toml from 0.7.5 to 0.7.6 * build(deps): bump regex from 1.8.4 to 1.9.1 * build(deps): bump time from 0.3.25 to 0.3.26 * Regenerate Cargo.lock * Use native certificates for TLS * build(deps): bump petgraph from 0.6.3 to 0.6.4 * build(deps): bump tame-index from 0.4.0 to 0.4.1 * Document locking considerations * More consistent status printing * cargo fmt * Warn before waiting on crates.io cache locks. Verbose but cannot be expressed via a higher-order function, and macros would make it much worse. * Add lock timeout parameter to open() and fetch() * Split creating a new remote index into a separate function in preparation for more complex logic around it * Add a comment * Drop manual map_err now that the conversion is implemented on rustsec::Error * cargo fmt made the code more succinct for once, drop my comment complaining about verbosity * cargo fmt * Convert from lock error rather than from its immutable borrow * Implement From conversions for LockTimeout error variant, since we will need to reuse it * build(deps): bump tame-index from 0.3.1 to 0.4.0 * Fix doc links * More clear documentation * Less esoteric pattern matching * silence unused variable warnings * Convert cargo-audit to use explicit locking * Update docs to match code * Drop unused import * Create a separate error kind for lock timeouts, and expose configurable lock timeouts from the advanced fetching function only * Fix docs * cargo fmt * Provide a rationale for the bulk API * Hide index implementation details and remove the performance pitfall of calling is_yanked on individual packages * Migrate check_for_yanked_crates() to the bulk API * cargo fmt * Do not short-cirquit on index update failure * Rework bulk yank-checking code to report errors granularly instead of short-cirquiting on first error it encounters * Transparently populate cache from `find_yanked` * Documentation tweaks * Even more caching for even faster CI * Fix intra-doc links * Explicitly document locking considerations * Revert "Re-enable self-audit" * Re-unify CI matrix, fulfilling a TODO * Attempt to fix CI by explicitly generating the lockfile * Re-enable self-audit * Dummy commit to trigger a CI re-run * Add rust-cache job properly now * Revert "Add Rust-specific caching job to see if that speeds up CI" * Dummy commit to trigger a CI re-run * Add Rust-specific caching job to see if that speeds up CI * Switch rustsec crate CI back to MSRV to see what happens * Drop --release from rustsec CI, the tests execute really quickly in debug mode * No need to reimplement CmdRunner::default() now that binary scanning is a default feature * Drop the --release flag so that the compilation artifacts could be reused - Abscissa doesn't seem to have an option to run acceptance tests with `cargo run --release` * Switch to Rust 1.71.0 for select jobs * Placate both versions of rustfmt * cargo fmt * build(deps): bump semver from 1.0.17 to 1.0.18 * Add a TODO * Re-add some of the comments * Normalize time offsets to UTC * Justify clippy opt-out * Undo autoformat * Finish up transition to gix * WIP * build(deps): bump xml-rs from 0.8.14 to 0.8.16 * Ignore clippy lint * Checkpoint * Update error message * Use `AsyncRemoteSparseIndex::krates_blocking` * Oops * Make sparse index cache population parallel * Fix remaining lints * Make public * Fix lint * Allow clippy lint * Bump CI * Bump MSRV to 1.67.0 * Transition from `crates-index` -> `tame-index` * build(deps): bump atom_syndication from 0.12.1 to 0.12.2 (#921) * Add license and attribution fields to advisories * rustsec-admin 0.8.6 (#915) * Case-insensitive search on website * build(deps): bump rust-embed from 6.7.0 to 6.8.1 (#909) * Cargo.lock: bump dependencies (#908) * build(deps): bump toml from 0.7.3 to 0.7.5 (#904) * build(deps): bump crates-index from 0.19.8 to 0.19.13 (#903) * cargo-lock: MSRV 1.65 (#907) * build(deps): bump openssl from 0.10.52 to 0.10.55 (#906) * cargo-audit+rustsec: MSRV 1.65 (#905) * build(deps): bump chrono from 0.4.24 to 0.4.25 (#894) * Fix edge case in git source dependency resolution * Update cargo-audit changelog * Update rustsec crate changelog * commit Cargo.lock version bump * Bump rustsec version following the cargo-lock bump * 🔥 Remove $ from install snippet on README (#879) * Cargo.lock: update dependencies (#876) * Bump `cargo-lock` to v0.9 + auditable deps (#875) * build(deps): bump home from 0.5.4 to 0.5.5 (#874) * build(deps): bump atom_syndication from 0.12.0 to 0.12.1 (#851) * build(deps): bump softprops/action-gh-release (#852) * build(deps): bump rust-embed from 6.6.0 to 6.6.1 (#849) * build(deps): bump crates-index from 0.19.7 to 0.19.8 (#864) * cargo-lock v9.0.0 (#870) * Fix docs build (#871) * Fix review comments * Various improvements to the "cargo-lock tree" subcommand * Fix is_default_registry for sparse index (#859) * Remove build script for platforms, it's now unused (#856) * build(deps): bump comrak from 0.16.0 to 0.18.0 * Link to rustsec/audit-check (#854) * Fix formatting to `cargo fmt` spec. * Fix #736 - Cargo audit self advisories repeated * build(deps): bump openssl from 0.10.47 to 0.10.48 * build(deps): bump semver from 1.0.16 to 1.0.17 * cargo fmt * Wrap binfarce::Format in our own struct to make `binfarce` an optional dependency * placate clippy * cargo fmt * Fix no-default-features compilation by making binfarce an unconditional dependency * Start fixing up compilation with no default features * Expand TODO * Fix filtering by binary type but this makes the dependency on binfarce unconditional (for now) * Add a FIXME explaining why it's not working * wire up filtering by binary type * Initial code for binary-type-based filtering; not wired up yet ------------------------------------------------------------------- Mon Mar 27 02:52:07 UTC 2023 - william.brown@suse.com - Update to version 0.17.5~git0.dc8ec71: * Set the release date in changelog * Bump `cargo-audit` version * Bump `rustsec` crate requirement to 0.26.5, to mandate the version with the fixed libgit2 * Fill in the CHANGELOG * Do not run all tests from the default feature set twice * cargo fmt * Fix version reporting * Update openssl in Cargo.lock files * More changelog entries * cargo fmt * Fix type inference error * Fill in changelog * Bump version to 0.26.5 * build(deps): bump regex from 1.7.1 to 1.7.2 * build(deps): bump rust-embed from 6.4.2 to 6.6.0 * build(deps): bump chrono from 0.4.23 to 0.4.24 * Bump crates-index to 0.19 * rustsec: Fix git2 via cargo-edit-9 fork * fix(cargo-audit): set clap bin_name to cargo (#824) * fix(cargo-audit): Better the formatting of severity output * Add vulnerability severity to the cargo-audit report presenter * test(cargo-audit): Ensure informational warnings are shown by default * fix(cargo-audit): Add unsound and notice to default informational warnings * Resolves #622 * fix(cargo-audit): Remove latest commit signature check * Re-enable MacOS CI with `--all-features` * Bump `platforms` version * Regenerate the `platforms` crate for rustc 1.69.0-nightly (8996ea93b 2023-02-09) * build(deps): bump toml from 0.7.1 to 0.7.2 (#811) * build(deps): bump petgraph from 0.6.2 to 0.6.3 (#810) * Use new feature/dependency syntax (#809) * build(deps): bump toml from 0.7.0 to 0.7.1 (#806) * build(deps): bump toml from 0.6.0 to 0.7.0 (#805) * admin: bump `chrono` to v0.4.23 (#803) * build(deps): bump atom_syndication from 0.11.0 to 0.12.0 (#777) * build(deps): bump comrak from 0.15.0 to 0.16.0 (#802) * build(deps): bump toml from 0.5.9 to 0.6.0 (#797) * Bump `toml` crate dependency to v0.6 (#800) * Cargo.lock: bump dependencies (#799) * build(deps): bump regex from 1.6.0 to 1.7.1 (#785) * cvss: bump MSRV to 1.60 (#798) * build(deps): bump fs-err from 2.8.1 to 2.9.0 (#744) * build(deps): bump termcolor from 1.1.3 to 1.2.0 (#791) * cargo-audit: refactor OS-specific CI configuration (#796) * cargo-lock: use `Display` for `io::ErrorKind`; MSRV 1.60 (#794) * cargo-lock: mark `SourceKind` as `#[non_exhaustive]` (#793) * cargo-lock: support sparse registry references in Lockfiles (#780) * release rustsec-admin 0.8.5 (#789) * release rustsec-admin 0.8.5 (#788) * Escape search term to prevent reflected XSS (#787) * Add top-level severity field to OSV advisories * cargo-lock: implement From for String (#776) * build(deps): bump comrak from 0.14.0 to 0.15.0 (#760) * Bump rust-embed from 6.4.2 to 6.5.0 (#766) * Bump semver from 1.0.14 to 1.0.16 (#772) * Bump softprops/action-gh-release (#770) * cargo-lock v8.0.3 (#768) * Fixed inconsistency in encoding lockfiles where there's only one registry for all packages (#767) * Prepare rustsec-admin release 0.8.4 (#765) * release rustsec 0.26.4 * Make URL a hyperlink * Add CHANGELOG.md entry * Store crates.io index versions as strings instead of semver * Revert "Skip invalid semver in crates.io index" * Skip invalid semver in crates.io index * Appease clippy * Appease clippy * Add publication date ------------------------------------------------------------------- Wed Nov 09 00:01:18 UTC 2022 - william.brown@suse.com - Update to version 0.17.4~git0.0b05e18: * Set 0.17.4 date in changelog * Bump `cargo-audit` to 0.17.4 * Update documentation for 0.17.4; `cargo audit bin` is now officially enabled by default * Fix homepage style on mobile (#755) * Add comment * Only attempt to check for yanked crates for crates coming from crates.io * Remove an unused inport * placate Clippy * cargo fmt * Fix #747 in `cargo-audit instead, and don't silence errors that occur during checking for yanked crates` * Revert "Only check if a package is yanked if it comes from crates.io; fixes #747" This is a significant behavioral change that should only come with a semver bump * Add tests validating yank behavior so that #747 can't regress again * Only check if a package is yanked if it comes from crates.io; fixes #747 * Add a test fixture depending on a yanked crate * Consolidate CODE_OF_CONDUCT.d files into one; switch to Rust code of conduct (#751) * Release rustsec-admit 0.8.3 * fix links in admin/CHANGELOG.md * bump `platforms` to 3.0.2 * regenerate `platforms` crate * Prepare rustsec-admin release ------------------------------------------------------------------- Tue Nov 01 22:30:54 UTC 2022 - william.brown@suse.com - Update to version 0.17.3~git0.fdb9752: * Set release date in CHANGELOG.md * Clarify changelog * Depend on rustsec 0.26.3 which added the CachedIndex used in `cargo audit bin` * bump cargo-audit to 0.17.3 * bump rustsec to 0.26.3 * More complete changelog for rustsec crate * Drop obsolete comment - html_root_url no longer exists * Add cargo-auditable to home page ------------------------------------------------------------------- Thu Oct 06 23:44:44 UTC 2022 - william.brown@suse.com - Update to version 0.17.2~git0.bccf8a5: * Don't use --locked in release workflow to allow publishing again * cargo-audit: Update CHANGELOG * Fix `bin` screenshot URL in the README * Skip dotfiles in advisory-db checkout * Set the release date in CHANGELOG.md * Add the `cargo audit bin` screenshot to README * cargo fmt * Migrate to the released version of auditable-info ------------------------------------------------------------------- Mon Oct 3 23:32:29 UTC 2022 - William Brown - Add _constraints to prevent random failures due to OBS resource issues. ------------------------------------------------------------------- Wed May 25 00:48:01 UTC 2022 - william.brown@suse.com - Update to version 0.17.0~git0.5214457: * cargo-audit v0.17.0 (#576) * rustsec-admin v0.7.0 (#575) * rustsec v0.26.0 (#574) * rustsec: flatten `advisory::id` module; rename `IdKind` (#573) * rustsec: flatten `warnings` module; rename `WarningKind` (#572) * rustsec: add `doc_cfg` annotations when building on docs.rs (#571) * cargo-audit: terminal output fixups (#570) * cargo-lock v8.0.1 (#569) * cargo-lock: fix dependency source extraction for V2 lockfiles (#568) * build(deps): bump cargo-edit from 0.9.0 to 0.9.1 (#566) ------------------------------------------------------------------- Tue May 24 04:57:51 UTC 2022 - William Brown - Automatic update of vendored dependencies ------------------------------------------------------------------- Tue Apr 5 05:25:07 UTC 2022 - William Brown - Automatic update of vendored dependencies ------------------------------------------------------------------- Fri Mar 18 04:46:08 UTC 2022 - William Brown - Update to use cargo-packaging ------------------------------------------------------------------- Mon Mar 14 02:50:27 UTC 2022 - william.brown@suse.com - Update to resolve bsc#1196972 CVE-2022-24713 - Regex DOS ------------------------------------------------------------------- Wed Mar 02 03:46:39 UTC 2022 - wbrown@suse.de - Update to vendored libraries to resolve security issues ------------------------------------------------------------------- Fri Dec 3 01:09:15 UTC 2021 - William Brown - Fix incorrect license string ------------------------------------------------------------------- Mon Nov 15 23:19:01 UTC 2021 - wbrown@suse.de - Update to version 0.16.0~git0.625c965: * cargo-audit v0.16.0 (#487) * rustsec v0.25.1 (#486) * platforms v2.0.0 (#485) * platforms: make `Platform::ALL` an inherent constant (#484) * platforms: make tier modules non-`pub` (#483) * rustsec-admin v0.6.0 (#482) * Update atom_syndication to 0.11 (#481) * rustsec v0.25.0 (#480) * Cargo.lock: bump dependencies (#479) * rustsec: flatten API (#478) ------------------------------------------------------------------- Wed Oct 06 01:20:31 UTC 2021 - wbrown@suse.de - Update to version 0.15.2~git0.fe0b327: * cargo-audit v0.15.2 (#435) * rustsec v0.24.3 (#433) * Don't label OSV feature as unstable, since OSV 1.0 has shipped * cargo-audit+rustsec: add `vendored-libgit2` feature (#432) * cargo-audit v0.15.1 (#430) * Bump comrak from 0.12.0 to 0.12.1 (#428) * Bump git2 from 0.13.21 to 0.13.22 (#427) * Bump comrak from 0.11.0 to 0.12.0 (#426) * silence Clippy - I want to be explicit here ------------------------------------------------------------------- Mon Jul 05 05:01:17 UTC 2021 - wbrown@suse.de - Update to version 0.15.0~git0.16c8aa4: * cargo-audit v0.15.0 (#392) * rustsec-admin v0.5.0 (#389) * README.md: 🦀🛡️📦 * rustsec v0.24.0 (#388) * OSV export (#366) * Bump semver from 1.0.1 to 1.0.3 * Bump semver from 1.0.0 to 1.0.1 (#381) * Bump git2 from 0.13.19 to 0.13.20 (#375) * Bump crates-index from 0.16.6 to 0.16.7 (#380) * cargo-lock v7.0.0 (#379) * Bump to semver 1.0.0 (#378) * rustsec-admin v0.4.3 (#374) * list-affected-versions: Also print the crate in question * Bump crates-index from 0.16.5 to 0.16.6 * Fix doc comments * Added docs * Clean up the code and commit stuff I forgot to add to git * Implement list-affected-versions subcommand, works fine with current DB * Add list-affected-versions subcommand stub * Clarify error message * Update the crates.io index if not up to date * Drop ureq dependency * cargo fmt * Better error reporting * Initial untested attempt to get rid of crates.io API querying completely * Comment, thanks Alex * cargo fmt * Fix crates.io API interaction * Ditched crates_io_api crate, did the same thing with ureq. Gets rid of tokio and a whole lot of other deps. Fixes breakage due to the recent crates.io API breakage, and prevents similar breakage in the future * Add new exit status for errors (#368) * Bump git2 from 0.13.18 to 0.13.19 (#365) * cargo-lock: add support for V3 format (#363) * cvss v1.0.3 (#362) * CI: gate workflow execution for PRs on changed files * cvss: fixups * Update CI badges * Add some tier 3 targets * Workspace CI configuration * Update repo urls in Cargo.toml files * README.md: add new toplevel one for workspace * platforms: sync with Rust platform support documentation * CI configuration * Wire up Cargo workspace * cargo-audit: prepare for merge into RustSec monorepo * rustsec: prepare for merge into RustSec monorepo * platforms: prepare for merge into RustSec monorepo * cvss: prepare for merge into RustSec monorepo * rustsec-admin: prepare for merge into RustSec monorepo * rustsec-admin: prepare for merge into RustSec monorepo * Web: Add pages per package (#143) * v0.4.2 (#142) * web: Add back an Atom feed for advisories (#140) * Cargo.lock: bump dependencies (#136) * Upgrade to GitHub-native Dependabot (#134) * v0.4.1 (#135) * Display more information on the website (#133) * Upgrade to GitHub-native Dependabot (#344) * Vendor OpenSSL for arm and musl builds (#343) * Bump git2 from 0.13.17 to 0.13.18 (#314) * Bump crates-index from 0.16.3 to 0.16.5 (#313) * Bump comrak from 0.9.1 to 0.10.0 (#129) * Fix typo in comments about mips64. (#36) * Bump rustsec from 0.23.2 to 0.23.3 (#128) * v0.23.3 (#310) * Workaround for stale git refs (#309) * Bump rustsec from 0.23.0 to 0.23.2 (#127) * v0.23.2 (#308) * Rename advisory-db `master` branch to `main` (#307) * CI: use actions-rs/audit-check for self-audit (#306) * Cargo.lock: bump dependencies (#305) * v0.4.0 (#126) * v0.3.5 (#124) * Use rust-embed for static assets (#122) * Add argument to change where website is outputted (#123) * v0.23.1 (#301) * Bump url from 2.2.0 to 2.2.1 (#98) * Fix parsing error on windows (#295) * Cargo.lock: bump deps (#296) * Bump comrak from 0.9.0 to 0.9.1 (#116) * Use a fully Rust based solution for rendering web page (#115) * v0.3.4 (#113) * Bump `rustsec` crate to v0.23 (#112) * v0.23.0 (#292) * Cargo.toml: dependency cleanups (#291) * Add `thread-safety` category (#290) * Rename default branch to `main` (#289) * v1.0.1 (#15) * Rename default branch to `main` (#14) * Cargo.lock: bump deps (#288) * v6.0.1 (#96) * Rename CI workflow (#95) * Rename default branch to `main` (#94) * Cargo.lock: bump deps (#93) * Bump semver-parser from 0.10.0 to 0.10.2 (#280) * v0.3.3 (#106) * Cargo.lock: bump dependencies (#105) * Rename `master` branch to `main` (#104) * CI config improvements (#103) * assigner: fix "new year's" bug (#102) * Bump handlebars from 3.5.1 to 3.5.2 (#101) * Bump platforms from 1.0.3 to 1.1.0 (#279) * v1.1.0 (#35) * Rename default branch to `main` (#34) * Rename GH Actions workflow to "CI" (#33) * Update README platform list using table gen * Add aarch64-apple-darwin, a.k.a. Apple Silicon macOS * Bump serde from 1.0.117 to 1.0.118 (#88) * Bump toml from 0.5.7 to 0.5.8 (#89) * v0.3.2 (#97) * Bump `rustsec` crate to v0.23.0-pre (#96) * v0.23.0-pre (#272) * Rename `repository::GitRepository` to `repository::git::Repository` (#271) * Rename `fetch` Cargo feature to `git` (#270) * Use `SystemTime` instead of a `git::Timestamp` type (#269) * Add support for omitting leading `[advisory]` table (#268) * Mark enums as non_exhaustive (#267) * Re-add advisory `references` as a URL list (#266) * Replace `chrono` with `humantime` (#265) * Bump `smol_str` to v0.1.17; MSRV 1.46+ (#264) * Use `url` crate to parse metadata URL (#263) * Remove `markdown` feature (#262) * Bump termcolor from 1.1.0 to 1.1.1 (#94) * Rename `references` to `related` (#261) * Bump once_cell from 1.5.1 to 1.5.2 (#259) * Bump crates-index from 0.16.0 to 0.16.2 (#260) * Bump once_cell from 1.5.0 to 1.5.1 (#92) * Cargo.lock: bump deps (#258) * Bump once_cell from 1.4.1 to 1.5.1 (#257) * .github: rename CI workflow to "CI" (#256) * Bump once_cell from 1.4.1 to 1.5.0 (#91) * Bump serde from 1.0.116 to 1.0.117 (#86) * Bump url from 2.1.1 to 2.2.0 (#87) * Bump platforms from 1.0.2 to 1.0.3 (#252) * v1.0.3 (#30) * fix Platform::guess_current to use actual target architecture (#29) * v0.3.1 (#89) * Bump `rustsec` crate to v0.22.2 (#88) * v0.22.2 (#250) * Revert "Refactor Advisory type handling (#246)" (#249) * Cargo.lock: bump dependencies (#248) * Cargo.lock: bump dependencies (#87) * v0.22.1 (#247) * Refactor Advisory type handling (#246) * Bump handlebars from 3.5.0 to 3.5.1 (#84) * Bump toml from 0.5.6 to 0.5.7 (#85) * v0.3.0 (#86) * Bump `rustsec` crate dependency to v0.22 (#83) * v0.22.0 (#245) * Bump `cargo-lock` to v6; `semver` to v0.11 (#244) * Remove more V2 advisory format vestiges (#243) * Remove support for the V2 advisory format (#242) * v0.3.0-pre3 (#82) * assign-id: fix TOML front matter parsing (#81) * v0.3.0-pre2 (#80) * Attempt to fix `assign-id` command (#79) * v0.22.0-pre3 (#241) * advisory: mark the `parser` module as `pub` (#240) * Bump thiserror from 1.0.20 to 1.0.21 (#74) * Bump rustsec from 0.22.0-pre to 0.22.0-pre2 (#78) * Bump thiserror from 1.0.20 to 1.0.21 (#232) * clippy fixes (#77) * Bump cargo-edit from 0.6.0 to 0.7.0 (#231) * v0.22.0-pre2 (#239) * advisory/linter: make V2 advisories fail (#238) * Bump crates-index from 0.15.4 to 0.16.0 (#237) * CI: ignore RUSTSEC-2020-0053 (dirs unmaintained) (#236) * Bump toml from 0.5.6 to 0.5.7 (#233) * Bump toml from 0.5.6 to 0.5.7 (#85) * v0.3.0-pre (#73) * Bump `rustsec` crate to v0.22.0-pre (#72) * v0.22.0-pre (#230) * advisory: laxer function path handling (#229) * linter: fully deprecate `obsolete` in favor of `yanked` (#228) * advisory: `markdown` feature and `Advisory::description_html` (#227) * Refactor changes from `fetch` feature (#213) (#226) * linter: add support for V3 advisory format (#225) * Bump chrono from 0.4.15 to 0.4.19 (#224) * cargo fmt * Linter: correctly handle crates with dashes in names * v6.0.0 (#84) * Bump semver from 0.10.0 to 0.11.0 (#83) * Bump handlebars from 3.3.0 to 3.5.0 (#69) * Bump `cargo-lock` to v5.0; semver to v0.10; MSRV 1.41+ (#217) * v5.0.0 (#82) * rustdoc fixups (#81) * README.md: switch chat badge to Zulip (#80) * 5.0.0-rc (#79) * Add `docsrs` cfg (#78) * Support for listing a single dependency (#77) * Implement/extract Cargo-compatible serializer (#76) * Add `--dependencies` and `--sources` flags to `cargo lock list` (#75) * Implement `cargo lock tree` without arguments (#74) * Add `dependency::Tree::roots()` method (#73) * bin: make `list` the default command (#72) * Have `cargo lock` command print dependency list (#71) * Make `cli` feature non-default (#70) * WASM support; MSRV 1.41+ (#69) * Bump gumdrop from 0.7.0 to 0.8.0 (#55) * Bump serde from 1.0.110 to 1.0.116 (#67) * Bump crates-index from 0.15.3 to 0.15.4 (#215) * Bump crates-index from 0.15.2 to 0.15.3 (#214) * Define "fetch" feature (#213) * Bump `platforms` crate to v1; MSRV 1.40+ (#210) * v1.0.2 (#28) * Remove `const fn` on `Platforms::all`; MSRV 1.40+ (#27) * .github: add 'override: true' directives; MSRV 1.46+ (#26) * v1.0.1 (#25) * Make `Platform::all()` a `const fn` (#24) * Refactor `Platform::find` and `::guess_current` (#23) * Rename `ALL_PLATFORMS` to `Platform::all()` (#22) * v1.0.0 (#21) * Update LICENSE-MIT * Ensure all types have FromStr, Display, and serde impls * Documentation fixups * 2018 edition updates * Make extensible enums `non_exhaustive`; MSRV 1.40+ * Update deps; whitelist RUSTSEC-2020-0036 (#208) * Bump git2 from 0.13.8 to 0.13.10 (#207) * Bump git2 from 0.13.6 to 0.13.8 (#201) * Bump chrono from 0.4.11 to 0.4.13 (#200) * Bump crates-index from 0.15.0 to 0.15.1 (#202) * Fix test * Add aarch64-pc-windows-msvc * Bump handlebars from 3.2.1 to 3.3.0 (#60) * v0.2.1 (#63) * Added an output mode for use with the production github action (#62) * v0.2.0 (#57) * Consistent `assign-id` module naming and comments (#56) * linter: refactor into `Linter` struct; check all files (#55) * Cargo.lock: update dependencies (#54) * Have `assignid` command use new `Date::year` method (#53) * Bump `rustsec` crate from 0.20.1 to 0.21 (#52) * v0.21.0 (#198) * Remove legacy `patched_versions` and `unaffected_versions` (#197) * Bump crates-index from 0.14.3 to 0.15.0 (#183) * Rename `obsolete` advisories to `yanked` (#196) * Make `warning::Kind` a #[non_exhausive] enum; rename `Kind::Notice` (#195) * Make `Informational` a #[non_exhausive] enum. (#194) * Cargo.lock: update dependencies (#193) * CHANGELOG.md: reformat for keepachangelog.com (#192) * Add `year`, `month`, and `day` methods to `advisory::Date` (#191) * add 'unsound' informational advisory kind (#189) * Resolves #30 * v0.20.1 (#186) * Add `advisory::Id::numerical_part()` (#185) * Refer to Cargo.lock in help for translate (#62) * Bump handlebars from 3.0.1 to 3.1.0 * Bump serde from 1.0.104 to 1.0.110 * Bump petgraph from 0.5.0 to 0.5.1 * Bump semver from 0.9.0 to 0.10.0 * Fix clippy errors * Cargo.lock: update dependencies * .github: ignore RUSTSEC-2020-0016 * Bump rustsec from 0.19.0 to 0.20.0 * v0.20.0 * Make `WarningInfo` into a simple type alias * Bump thiserror from 1.0.10 to 1.0.16 * Bump rustsec from 0.18.0 to 0.19.0 * v0.19.0 * Refactor package scopes (fixes #153) * V3 Advisory Format * Bump thiserror from 1.0.15 to 1.0.16 * Bump git2 from 0.13.4 to 0.13.5 * Bump MSRV to 1.40 * Bump dependencies to link libgit2 dynamically * Cargo.lock: update dependencies * address PR comments * addres PR comments * clippy fix * add WarningInfo. modify Warning struct * Cargo.lock: update dependencies * Cargo.lock: update dependencies * lib.rs: fix incorrect flag in documentation * Drop support for the V1 advisory format * Update dependencies * Cargo.lock: Update dependencies * Bump rustsec from 0.17.1 to 0.18.0 * v0.18.0 * Move yanked crate auditing to `cargo-audit` * Bump abscissa_core from 0.5.1 to 0.5.2 * security_audit.yml: Fix branch name * Bump thiserror from 1.0.9 to 1.0.10 * Bump thiserror from 1.0.9 to 1.0.10 * Bump handlebars from 3.0.0 to 3.0.1 * Bump handlebars from 2.0.4 to 3.0.0 * Bump rustsec from 0.17.0 to 0.17.1 * v0.17.1 * Update `cargo-lock` requirement from 3.0 to 4.0 * Cargo.lock: Update to V2 lockfile format * README.md: Document CLI `list` and `tree` subcommands * v4.0.1 * cli: fix executable name * v4.0.0 * cli: `list` subcommand * cli: `tree` subcommand * .github: add security audit * Initial CLI with `translate` subcommand * Add From<[u8; 32]> impl for Checksum * Add helper methods for working with checksum metadata * Minor documentation improvements * Use minified version of Cargo's SourceId type * Bump handlebars from 2.0.2 to 2.0.4 * Bump abscissa_core from 0.5.0 to 0.5.1 * Bump serde from 1.0.101 to 1.0.104 * [Security] Bump http from 0.1.18 to 0.1.21 * Overhaul encoding: use serde_derive, proper V1/V2 support * Bump termcolor from 1.0.5 to 1.1.0 * (Re-)Add Serialize impl for Lockfile (fixes #32) * Add support Cargo.lock `patch` and `root` (fixes #30) * Detect V1 vs V2 Cargo.lock files (fixes #26) * Update petgraph requirement from 0.4 to 0.5 * Add `package::Checksum` * Bump once_cell from 1.2.0 to 1.3.1 * Bump rustsec from 0.16.0 to 0.17.0 * Cargo.lock: check in; add `actions-rs` caching * v0.17.0 * Upgrade `cargo-edit` to v0.5.0 release; MSRV 1.39+ * Bump once_cell from 1.2.0 to 1.3.0 * Bump toml from 0.5.5 to 0.5.6 * Have `Fixer` take a reference to `Vulnerability` * Extract `cargo audit fix` logic into `Fixer` * Warn for yanked crates * add badge from deps.rs * upgrade dependencies * Upgrade to Abscissa v0.5 * Add vendored-openssl feature * refactored package_scope's source attribute to vector of sources * switched from lazy_static to once_cell for database tests * fixed formatting * made advisory db in database test static mutex * fixed tests for vulnerability querying and changed PackageScope to struct * added tests for package scope consideration in vulnerability querying * added package scope for querying vulnerabilities * try to fix #127 * Bump MSRV to 1.36 * Try to auto-detect proxy setting * v0.16.0 * Remove `support.toml` parsing * v0.15.2 * version: Fix matching bug for `>` version requirements * v0.1.1 * Upgrade to `rustsec` crate v0.15.1 * v0.15.1 * actions: Run cargo-audit, test MSRV, test on Windows * .github: Use actions-rs GitHub Actions config * .github: Use actions-rs GitHub Actions config * .github: Use actions-rs GitHub Actions config * .github: Use actions-rs GitHub Actions config * .github: Use actions-rs GitHub Actions config * linter: Add "informational" as an allowable [advisory] key * repository: Expose `authentication` module * v0.15.0 * Upgrade to `cargo-lock` crate v3 * v3.0.0 * Support [[dependencies]] without versions * v0.14.1 * lib.rs: Remove botched `petgraph` re-export * Upgrade to cargo-lock v2.0 * v2.0.0 * Use two-pass dependency tree computation * v2.0.0-pre * Remove `Lockfile::root_package()` * Cargo.toml: Fix links * Cargo.toml: Fix `repository` link * cli: Move to new repository * v0.1.0 * linter: Rename command to `lint`; use Abscissa statuses * README.md: Header quoting fixup * v0.2.1 * .github/workflows/rust.yml: Initial GitHub Actions config * Import implementation from the `rustsec` crate repo * .github/workflows/rust.yml: Initial GitHub actions config * v0.14.0 * Initial commit * warning: Extract into module; make more like `Vulnerability` * Upgrade to `cvss` crate v1.0 * v1.0.0 * .github/workflows/rust.yml: Migrate to GitHub Actions * .github/workflows/rust.yml: Update template * Upgrade to `cargo-lock` crate v1.0 * v1.0.0 * dependency/tree: Render trees to an io::Write * v1.0.0-pre * metadata: Generalize into `Key` and `Value` types * .github/workflows/rust.yml: Trigger on [push] * .github/workflows/rust.yml: Initial Actions config * Refactor dependency handling * cli: Add `rustsec web` subcommand * cli: Add `rustsec check` subcommand * cli: Initial application boilerplate * v0.13.0 * Finish GitHub Actions migration * rust.yml: Initial GitHub actions config * v0.13.0-alpha4 * linter: Ensure advisory date's year matches year in advisory ID * v0.13.0-alpha3 * v0.2.1 * Allow empty `[metadata]` in Cargo.lock files * Use the `cargo-lock` crate * v0.2.0 * dependency_graph: Move petgraph types into a module * Fix links and add badges * v0.1.0 * Index DependencyGraph by package::Release * Import `DependencyGraph` from the `rustsec` crate * Import implementation from the `rustsec` crate * .travis.yml: Initial Travis CI config * Initial commit * v0.13.0-alpha2 * lockfile: Add (optional) DependencyGraph analysis * v0.13.0-alpha1 * Fix unaffected versions * Restructure Vulnerability * Rename 'db' module to 'database' * report: Generate warnings for selected informational advisories * vulnerability: Add affected_functions() * Add advisory::Linter * package: Parse dependencies from Cargo.lock * Initial `report` module and built-in report-generating * v0.3.0 * Support for re-serializing CVSS v3.0 values * CVSS v3.0 parsing support * severity: Add `FromStr` and `serde` support * Use index allocation for storing advisories * Basic query support * Index the `rust` advisory directory from RustSec/advisory-db * Add first-class support for GitHub Security Advisories (GHSA) * Re-vendor Cargo's git authentication code * Further broaden categories * support.toml for indicating supported versions * Add support for "informational" advisories (closes #134) * Add `advisory::Category` (closes RustSec/advisory-db#69) * Refactor advisory types: add [affected] and [versions] sections * advisory: Add (optional) `cvss` field with CVSS v3.1 score * v0.2.0 * Add `Base::exploitability` and `impact` methods; docs * serde support * Freshen deps: add `home`, remove `directories` and `failure` * Cargo.toml/README.md: Fix broken/missing links * v0.1.0 * .travis.yml: Initial configuration * Initial commit * Improve lints and deny policy * Improved handling of prereleases; MSRV 1.35+ * Add `Version` and `VersionReq` newtypes * v0.12.1 * Use new inclusive range syntax * v0.12.0 * Update dependencies and use 2018 import conventions; Rust 1.32+ * Properly set up target::os::TARGET_OS const for unknown OS * Re-export all types in advisory::paths::* * v0.11.0 * Cargo.toml: Update 'platforms' crate to v0.2 * v0.2.0 * Update platforms to match RustForge * Redo 'affected_functions' as 'affected_paths' * Update to Rust 2018 edition * v0.10.0 * CHANGES.md: Redo formatting * Implement "affected_functions" advisory attribute * AdvisoryDatabase::advisories_for_crate: Handle unaffected_versions * Update to Rust 2018 edition * v0.9.3 * Create parents of the advisory DB repo dir * v0.9.2 * Handle cloning advisory DB into existing, empty dir * Gate `no_dupes_test` under "std" * Test all possible feature combinations * Fix no_std support when using "serde" feature * README.md: Move "Documentation" link up * README.md: Use backticks instead of "scare quotes" * use home_dir() instead of environment variable HOME * use ~/.cargo if CARGO_HOME is unset * Derives Deserialize for Vulnerabilities and Vulnerability * Derive Serialize for Packages, Vulnerabilities, and Vulnerability * v0.9.1 * Use Cargo's git authentication helper * v0.1.4 * x86_64-apple-darwin: fix typo in target triple name * Have markdown-table-gen output links to Platform structs on docs.rs * v0.1.3 * Cargo.toml: Fix Travis CI badge * v0.1.2 * markdown-table-gen: Markdown-formatted platform table generator * v0.1.1 * impl {Display, Error} for packages::Error * v0.9.0 * rustsec-client -> rustsec-crate * Use "platforms" crate for platform-related functionality * v0.1.0 * Remove duplicate target::OS::from_str() method * Add `guess_current()` * Optional serde support * v0.0.1 * Initial commit * PlatformReq documentation improvements * v0.8.0 * CHANGES.md: Fix links * Advisory platform requirements * advisory/keyword.rs: Cargo-like keyword support * v0.7.5 * Allow AdvisoryId::new() to parse "RUSTSEC-0000-0000" * v0.7.4 * Add link to logo image for docs.rs * v0.7.3 * Fix builds with --no-default-features * repository/commit.rs: Comment fixup * README.md: Tighten up title * v0.7.2 * README.md: Badge fixups, add gitter badge * v0.7.1 * Cargo.toml: Formatting fixups, add "readme" attribute * v0.7.0 * v0.7.0-alpha3 * Refactor advisory iterator * v0.7.0-alpha2 * Validate dates are well-formed * Add AdvisoryIdKind and limited support for parsing advisory IDs * Add a "Vulnerabilities" collection struct * src/repository: Refactor into multiple modules * v0.7.0-alpha1 * Support converting advisory::Date into chrono::Date * Parse git signatures as Strings * Parse aliases, references, and unaffected versions * Parse (but do not yet verify) signatures on advisory-db commits * Parse individual advisory .toml files rather than Advisories.toml * Switch to git2-based fetcher for advisory-db * advisory.rs: Move AdvisoryId definition below Advisory * Use serde to parse advisories TOML and Cargo.lock files * Use 'failure' crate for error handling * Cargo.toml: Update dependencies * Adopt the Contributor Covenant (version 1.4) * Factor integration tests into the tests/ directory * .travis.yml: Allow failures on OS X and enable fast finish * Fix clippy 0.0.212 nits * Run rustfmt 0.8.2-nightly (5e599251 2018-07-02) * Remove redundant documentation link * Bump version to 0.6.0 and update CHANGES.md * Use semver::Version for lockfile::Package versions * Move AdvisoryDatabase under the ::db module * Lockfile support * Bump version to 0.5.2 and update CHANGES.md * Add AdvisoryDatabase::fetch_from_url() * Bump version to 0.5.1 and update CHANGES.md * Make "advisory" and "error" modules public * Bump version to 0.5.0 and update CHANGES.md * Use str version param for AdvisoryDatabase::find_vulns_for_crate() * Bump version to 0.4.0 and update CHANGES.md * Add AdvisoryDatabase::find_vulns_for_crate() * Bump version to 0.3.0 and update CHANGES.md * Rename `crate_name` back to `package` * Bump version to 0.2.0 and update CHANGES.md * Rename `package` TOML attribute to `crate_name` * Add iterator support to AdvisoryDatabase * Add docs badge to README.md * Spell out crate name explicitly * Add About section to README * Bump version to 0.1.0 and update CHANGES.md * Add AdvisoryDatabase struct * Fix more README links * Fix link in README * Initial implementation * Add LICENSEs and other README improvements * Initial commit ------------------------------------------------------------------- Mon Jul 05 04:53:39 UTC 2021 - wbrown@suse.de - Update to version 0.14.1~git0.e46dce8: * v0.14.1 (#342) * Cargo.lock: update several dependencies (#341) * Generate release builds with github actions (#337) * Cargo.lock: bump various dependencies (#335) * Bump rustsec from 0.23.2 to 0.23.3 (#333) * v0.14.0 (#330) * Cargo.lock: bump `rustsec` to v0.23.2 (#329) * README.md: fix "Report Vulnerability" button (#328) * Rename 'master' branch to 'main' * Bump `rustsec` dependency to v0.23; MSRV 1.46+ (#327) ------------------------------------------------------------------- Wed Jun 02 06:01:51 UTC 2021 - wbrown@suse.de - Update _service to use upstream monorepo and cargo-audit - Update to version 0.14.1~git0.e46dce8: * v0.14.1 (#342) * Cargo.lock: update several dependencies (#341) * Generate release builds with github actions (#337) * Cargo.lock: bump various dependencies (#335) * Bump rustsec from 0.23.2 to 0.23.3 (#333) * v0.14.0 (#330) * Cargo.lock: bump `rustsec` to v0.23.2 (#329) * README.md: fix "Report Vulnerability" button (#328) * Rename 'master' branch to 'main' * Bump `rustsec` dependency to v0.23; MSRV 1.46+ (#327) ------------------------------------------------------------------- Wed Mar 17 00:41:16 UTC 2021 - wbrown@suse.de - Update to version 0.14.0~git0.08c9f3e: * v0.14.0 (#330) * Cargo.lock: bump `rustsec` to v0.23.2 (#329) * README.md: fix "Report Vulnerability" button (#328) * Rename 'master' branch to 'main' * Bump `rustsec` dependency to v0.23; MSRV 1.46+ (#327) * Enable informational warnings with deny (#320) * When running in no-fetch mode, allow accessing a non-git repo. (#315) * Update README.md (#298) * Cargo.lock: bump deps (#283) * Bump once_cell from 1.4.1 to 1.5.0 (#282) ------------------------------------------------------------------- Tue Mar 02 23:41:56 UTC 2021 - wbrown@suse.de - Update to version 0.13.1~git5.7797fd5: * When running in no-fetch mode, allow accessing a non-git repo. (#315) * Update README.md (#298) * Cargo.lock: bump deps (#283) * Bump once_cell from 1.4.1 to 1.5.0 (#282) * CHANGELOG.md: add note about #206 as part of the v0.13.0 release ------------------------------------------------------------------- Tue Feb 23 03:11:36 UTC 2021 - William Brown - Initial submission of v0.13.1