Fixup (#327)

* Fix detects_unsound test by using failure Previously the test was using rand_core for the unsound check, but its advisory was updated to say the version we were pointed to was actually patched, so moved to failure since it also has an unsound issue, but is also unmaintained, which should mean the advisory should stay relevant in perpetuity. * Fix clippy lints * Update cargo to fix weird compilation issue * Ignore cargo-about for now
EmbarkStudios · Feb 10, 2021 · ae13015 · ae13015
1 parent 5d148d7
commit ae13015
Show file tree

Hide file tree

Showing 11 changed files with 232 additions and 44 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -45,7 +45,7 @@ atty = "0.2"
 # Used to track various things during check runs
 bitvec = { version = "0.19", features = ["alloc"] }
 # Allows us to do eg cargo metadata operations without relying on an external cargo
-cargo = { version = "0.48", optional = true }
+cargo = { version = "0.50", optional = true }
 # Timey wimey stuff
 chrono = "0.4"
 # Used for diagnostic reporting
@@ -55,7 +55,7 @@ codespan-reporting = "0.9"
 crossbeam = "0.8"
 # We use this for displaying diffs for dry runs of the `fix` subcommand, as
 # as in tests for printing easy to read errors
-difference = "2.0.0"
+difference = "2.0"
 # Logging utilities
 fern = "0.6"
 # We directly interact with git when doing index operations eg during fix
@@ -80,7 +80,7 @@ semver = "0.11"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 # Avoid some heap allocations when we likely won't need them
-smallvec = "1.4"
+smallvec = "1.6"
 # Versions of smol_str > 0.1.16 include code that only works on latest stable
 # (1.46+) which is far too aggressive for what is just a transitive dependency
 smol_str = { version = "=0.1.16" }

diff --git a/deny.toml b/deny.toml
@@ -17,6 +17,8 @@ ignore = [
     "RUSTSEC-2020-0036",
     # cargo uses a a vulnerable version of sized-chunks
     "RUSTSEC-2020-0041",
+    # difference is unmaintained but suits our needs just fine
+    "RUSTSEC-2020-0095",
 ]
 
 [bans]
@@ -30,8 +32,6 @@ skip = [
     { name = "crossbeam-utils", version = "=0.7.2" },
     # cargo uses crypto-hash, which uses an old version
     { name = "hex", version = "=0.3.2" },
-    # cargo depends on both 2.0.1 (direct) and 1.3.0 via env_logger
-    { name = "humantime", version = "=1.3.0" },
     # cargo uses an older version of semver
     { name = "semver", version = "=0.10.0" },
     { name = "semver-parser", version = "=0.7.0" },

diff --git a/examples/06_advisories/Cargo.lock b/examples/06_advisories/Cargo.lock
diff --git a/examples/06_advisories/Cargo.toml b/examples/06_advisories/Cargo.toml
@@ -12,6 +12,9 @@ ammonia = "=0.7.0"
 # Transitively depends on an ammonia 1.2.0
 artifact_serde = "0.3.1"
 
+# Failure has an unsound advisory (and is unmaintained)
+failure = "=0.1.8"
+
 # libusb is unmaintained
 # https://github.com/RustSec/advisory-db/blob/5b35b71cf74eed58696aeeb5a764a9f0a66fe7ba/crates/libusb/RUSTSEC-2016-0004.toml
 libusb = "0.3.0"

diff --git a/scripts/check_external.rs b/scripts/check_external.rs
@@ -1,6 +1,6 @@
 const REPOS: &[&str] = &[
     "git://github.com/EmbarkStudios/ash-molten.git",
-    "git://github.com/EmbarkStudios/cargo-about.git",
+    //"git://github.com/EmbarkStudios/cargo-about.git",
     //"git://github.com/EmbarkStudios/cargo-fetcher.git",
     "git://github.com/bitshifter/glam-rs.git",
     "git://github.com/EmbarkStudios/physx-rs.git",

diff --git a/src/diag/obj_grapher.rs b/src/diag/obj_grapher.rs
@@ -22,7 +22,7 @@ fn is_false(v: &bool) -> bool {
 }
 
 fn is_normal(v: &'static str) -> bool {
-    v == ""
+    v.is_empty()
 }
 
 #[allow(clippy::ptr_arg)]

diff --git a/src/index/mod.rs b/src/index/mod.rs
@@ -74,7 +74,7 @@ impl IndexKrate {
             "looks like a different Cargo's cache, bailing out"
         );
 
-        fn split<'a>(haystack: &'a [u8], needle: u8) -> impl Iterator<Item = &'a [u8]> + 'a {
+        fn split(haystack: &[u8], needle: u8) -> impl Iterator<Item = &[u8]> {
             struct Split<'a> {
                 haystack: &'a [u8],
                 needle: u8,

diff --git a/tests/advisories.rs b/tests/advisories.rs
@@ -197,10 +197,14 @@ fn detects_unsound() {
     )
     .unwrap();
 
-    let unsound_diag = find_by_code(&diags, "RUSTSEC-2019-0035").unwrap();
+    let unsound_diag = find_by_code(&diags, "RUSTSEC-2019-0036").unwrap();
 
     assert_field_eq!(unsound_diag, "/fields/severity", "warning");
-    assert_field_eq!(unsound_diag, "/fields/message", "Unaligned memory access");
+    assert_field_eq!(
+        unsound_diag,
+        "/fields/message",
+        "Type confusion if __private_get_type_id__ is overriden"
+    );
     assert_field_eq!(
         unsound_diag,
         "/fields/labels/0/message",
@@ -209,7 +213,7 @@ fn detects_unsound() {
     assert_field_eq!(
         unsound_diag,
         "/fields/labels/0/span",
-        "rand_core 0.3.1 registry+https://github.com/rust-lang/crates.io-index"
+        "failure 0.1.8 registry+https://github.com/rust-lang/crates.io-index"
     );
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -22,7 +22,7 @@ fn is_false(v: &bool) -> bool { @@
     }
     fn is_normal(v: &'static str) -> bool {
-        v == ""
+        v.is_empty()
     }
     #[allow(clippy::ptr_arg)]
@@ Expand Down @@