Add support for --locked & --frozen (#359)

* Add support for --locked & --frozen

The --offline flag now also disables fetching of the advisory database
for the check subcommand

* Update CHANGELOG

* Add --locked flag to self check

.github/workflows/ci.yaml

@@ -79,7 +79,7 @@ jobs:
         # we release, but wasn't exercised until now
         run: cargo install --path . --debug --target ${{ matrix.target }} --features standalone
       - name: self check
-        run: cargo deny -L debug --all-features check
+        run: cargo deny -L debug --all-features --locked check
       - name: check external users
         run: ./scripts/check_external.sh
 

CHANGELOG.md

@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- next-header -->
 ## [Unreleased] - ReleaseDate
+### Added
+- [PR#353](https://github.com/EmbarkStudios/cargo-deny/pull/353) resolved [#351](https://github.com/EmbarkStudios/cargo-deny/issues/351) by adding the `sources.private` field to blanket allow git repositories sourced from a particular url.
+- [PR#359](https://github.com/EmbarkStudios/cargo-deny/pull/359) resolved [#341](https://github.com/EmbarkStudios/cargo-deny/issues/341) and [#357](https://github.com/EmbarkStudios/cargo-deny/issues/357) by adding support for the [`--frozen`, `--locked`, and `--offline`](https://doc.rust-lang.org/cargo/commands/cargo-metadata.html#manifest-options) flags to determine whether network access is allowed, and whether the `Cargo.lock` file can be created and/or modified.
 ### Changed
 - [PR#358](https://github.com/EmbarkStudios/cargo-deny/pull/358) bumped the Minimum Stable Rust Version to **1.53.0**.
 - [PR#358](https://github.com/EmbarkStudios/cargo-deny/pull/358) bumped various dependencies, notably `semver` to `1.0.3`.

Cargo.toml

@@ -27,7 +27,7 @@ path = "src/cargo-deny/main.rs"
 default = ["vendored-openssl"]
 # Allows the use of a vendored version openssl when compiling libgit, which allows
 # us to compile static executables (eg musl) and avoid system dependencies
-vendored-openssl = ["rustsec/vendored-openssl"]
+vendored-openssl = ["rustsec/vendored-openssl", "git2/vendored-openssl"]
 # Allows embedding cargo as a library so that we can run in minimal (eg container)
 # environments that don't need to have cargo/rust installed on them for cargo-deny
 # to still function
@@ -59,7 +59,7 @@ similar = "1.3"
 # Logging utilities
 fern = "0.6"
 # We directly interact with git when doing index operations eg during fix
-git2 = { version = "0.13", features = ["vendored-openssl"] }
+git2 = "0.13"
 # We need to figure out HOME/CARGO_HOME in some cases
 home = "0.5"
 # Provides graphs on top of cargo_metadata

src/cargo-deny/check.rs

@@ -29,27 +29,27 @@ pub struct Args {
     ///
     /// Defaults to <cwd>/deny.toml if not specified
     #[structopt(short, long, parse(from_os_str))]
-    config: Option<PathBuf>,
+    pub config: Option<PathBuf>,
     /// Path to graph_output root directory
     ///
     /// If set, a dotviz graph will be created for whenever multiple versions of the same crate are detected.
     ///
     /// Each file will be created at <dir>/graph_output/<crate_name>.dot. <dir>/graph_output/* is deleted and recreated each run.
     #[structopt(short, long, parse(from_os_str))]
-    graph: Option<PathBuf>,
+    pub graph: Option<PathBuf>,
     /// Hides the inclusion graph when printing out info for a crate
     #[structopt(long)]
-    hide_inclusion_graph: bool,
+    pub hide_inclusion_graph: bool,
     /// Disable fetching of the advisory database
     ///
     /// When running the `advisories` check, the configured advisory database will be fetched and opened. If this flag is passed, the database won't be fetched, but an error will occur if it doesn't already exist locally.
     #[structopt(short, long)]
-    disable_fetch: bool,
+    pub disable_fetch: bool,
     /// To ease transition from cargo-audit to cargo-deny, this flag will tell cargo-deny to output the exact same output as cargo-audit would, to `stdout` instead of `stderr`, just as with cargo-audit.
     ///
     /// Note that this flag only applies when the output format is JSON, and note that since cargo-deny supports multiple advisory databases, instead of a single JSON object, there will be 1 for each unique advisory database.
     #[structopt(long)]
-    audit_compatible_output: bool,
+    pub audit_compatible_output: bool,
     /// Show stats for all the checks, regardless of the log-level
     #[structopt(short, long = "show-stats")]
     pub show_stats: bool,
@@ -58,7 +58,7 @@ pub struct Args {
         possible_values = &WhichCheck::variants(),
         case_insensitive = true,
     )]
-    which: Vec<WhichCheck>,
+    pub which: Vec<WhichCheck>,
 }
 
 #[derive(Deserialize)]

src/cargo-deny/common.rs

@@ -57,6 +57,8 @@ pub struct KrateContext {
     pub no_default_features: bool,
     pub all_features: bool,
     pub features: Vec<String>,
+    pub frozen: bool,
+    pub locked: bool,
     pub offline: bool,
 }
 
@@ -101,6 +103,8 @@ impl KrateContext {
             all_features: self.all_features,
             features: self.features,
             manifest_path: self.manifest_path,
+            frozen: self.frozen,
+            locked: self.locked,
             offline: self.offline,
         })?;
 
@@ -166,6 +170,8 @@ struct MetadataOptions {
     all_features: bool,
     features: Vec<String>,
     manifest_path: PathBuf,
+    frozen: bool,
+    locked: bool,
     offline: bool,
 }
 
@@ -181,12 +187,13 @@ fn get_metadata(opts: MetadataOptions) -> Result<krates::cm::Metadata, anyhow::E
         mdc.all_features();
     }
 
-    mdc.features(opts.features);
-    mdc.manifest_path(opts.manifest_path);
-
-    if opts.offline {
-        mdc.other_options(std::iter::once("--offline".to_owned()));
-    }
+    mdc.features(opts.features)
+        .manifest_path(opts.manifest_path)
+        .lock_opts(krates::LockOptions {
+            frozen: opts.frozen,
+            locked: opts.locked,
+            offline: opts.offline,
+        });
 
     let mdc: krates::cm::MetadataCommand = mdc.into();
     Ok(mdc.exec()?)
@@ -199,9 +206,17 @@ fn get_metadata(opts: MetadataOptions) -> Result<krates::cm::Metadata, anyhow::E
 
     let mut config = util::Config::default()?;
 
-    if opts.offline {
-        config.configure(0, true, None, false, false, opts.offline, &None, &[], &[])?;
-    }
+    config.configure(
+        0,
+        true,
+        None,
+        opts.frozen,
+        opts.locked,
+        opts.offline,
+        &None,
+        &[],
+        &[],
+    )?;
 
     let mut manifest_path = opts.manifest_path;
 

src/cargo-deny/main.rs

@@ -174,7 +174,13 @@ pub(crate) struct GraphContext {
     /// Space or comma separated list of features to activate
     #[structopt(long, use_delimiter = true)]
     pub(crate) features: Vec<String>,
-    /// Run without accessing the network
+    /// Require Cargo.lock and cache are up to date
+    #[structopt(long)]
+    pub(crate) frozen: bool,
+    /// Require Cargo.lock is up to date
+    #[structopt(long)]
+    pub(crate) locked: bool,
+    /// Run without accessing the network. If used with the `check` subcommand, this also disables advisory database fetching.
     #[structopt(long)]
     pub(crate) offline: bool,
 }
@@ -360,6 +366,8 @@ fn real_main() -> Result<(), Error> {
         no_default_features: args.ctx.no_default_features,
         all_features: args.ctx.all_features,
         features: args.ctx.features,
+        frozen: args.ctx.frozen,
+        locked: args.ctx.locked,
         offline: args.ctx.offline,
     };
 
@@ -370,8 +378,14 @@ fn real_main() -> Result<(), Error> {
     };
 
     match args.cmd {
-        Command::Check(cargs) => {
+        Command::Check(mut cargs) => {
             let show_stats = cargs.show_stats;
+
+            if args.ctx.offline {
+                log::info!("network access disabled via --offline flag, disabling advisory database fetching");
+                cargs.disable_fetch = true;
+            }
+
             let stats = check::cmd(log_ctx, cargs, krate_ctx)?;
 
             let errors = stats.total_errors();