Skip to content

Commit 2d58a17

Browse files
committed
ci: switch audit test from using cargo-audit to cargo-deny
`cargo-audit` goes through all crates in the Cargo.lock which includes crate which are pulled as transitive dependencies of some crates but not used in any of our binaries. Switching to `crago-deny` fixes this since it only checks crates which are a part of our dependencies tree for our binaries. Similar to `cargo-audit`, we need to install `cargo-deny` each time to avoid a possibility of it breaking if advisory database suddenly updates the format it uses. But for the sake of speed, we now install with `--debug` flag to install debug binary (install in this case means "compile"). This saves time and does not affect the result. `cargo-audit` is also used in the license check test, but that test is fine using the potentially older version of the tool from the devctr. Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
1 parent e04e55f commit 2d58a17

2 files changed

Lines changed: 49 additions & 13 deletions

File tree

deny.toml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,21 @@
1+
[graph]
2+
all-features = true
3+
4+
[advisories]
5+
yanked = "deny"
6+
unmaintained = "all"
7+
unsound = "all"
8+
ignore = [
9+
# `rand` unsoundness when a custom logger re-enters `rand::rng()`/`thread_rng()`
10+
# during ThreadRng reseeding. Firecracker is not affected:
11+
# - uuid (1.23.0): does not enable `fast-rng` or `rng-rand` features, so it uses
12+
# `getrandom` directly and never calls into rand.
13+
# - proptest: uses rand 0.9 with `default-features = false` and does not enable
14+
# the `thread_rng` feature, so the affected functions are not compiled in.
15+
# See https://rustsec.org/advisories/RUSTSEC-2026-0097.html
16+
"RUSTSEC-2026-0097",
17+
]
18+
119
[licenses]
220
version = 2
321
allow = [

tests/integration_tests/security/test_sec_audit.py

Lines changed: 31 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -6,11 +6,12 @@
66

77
import pytest
88

9+
from framework import utils
10+
from framework.defs import FC_WORKSPACE_DIR
911
from framework.ab_test import (
1012
git_ab_test_host_command_if_pr,
1113
set_did_not_grow_comparator,
1214
)
13-
from framework.utils import CommandReturn
1415
from framework.utils_cpuid import CpuVendor, get_cpu_vendor
1516

1617

@@ -23,19 +24,36 @@ def test_cargo_audit():
2324
Run cargo audit to check for crates with security vulnerabilities.
2425
"""
2526

26-
def set_of_vulnerabilities(output: CommandReturn):
27-
output = json.loads(output.stdout)
28-
29-
return set(
30-
frozenset(vulnerability)
31-
for vulnerability in output["vulnerabilities"]["list"]
32-
).union(
33-
frozenset(warning)
34-
for warning_kind, warnings in output["warnings"].items()
35-
for warning in warnings
36-
)
27+
def set_of_vulnerabilities(output: utils.CommandReturn):
28+
# The `stdout` will contain one `json` payload per line
29+
findings = set()
30+
for line in output.stderr.splitlines():
31+
line = line.strip()
32+
if not line:
33+
continue
34+
entry = json.loads(line)
35+
# There is also `summary` type, which is of not interest for us
36+
if entry["type"] != "diagnostic":
37+
continue
38+
fields = entry["fields"]
39+
advisory = fields.get("advisory") or {}
40+
# Identify a finding by its code, advisory id and affected crate;
41+
# Findings without an advisory (e.g. yanked crates) fall back to
42+
# the crate from the dependency graph.
43+
krate = (fields.get("graphs") or [{}])[0].get("Krate", {})
44+
findings.add(
45+
(
46+
fields.get("code"),
47+
advisory.get("id"),
48+
advisory.get("package") or krate.get("name"),
49+
)
50+
)
51+
return findings
52+
53+
utils.run_cmd("cargo install --locked cargo-deny --debug")
54+
toml_file = FC_WORKSPACE_DIR / "Cargo.toml"
3755

3856
git_ab_test_host_command_if_pr(
39-
"cargo install --locked cargo-audit && cargo audit --deny warnings -q --json",
57+
f"cargo deny --manifest-path {toml_file} -f json check advisories",
4058
comparator=set_did_not_grow_comparator(set_of_vulnerabilities),
4159
)

0 commit comments

Comments
 (0)