Warn about security advisories for cratres being added with `cargo add`

### Problem

A user can add a crate with a security advisory and not know it unless they know of the third-party `cargo audit`, install it, and run it.

### Proposed Solution

Integrate `cargo audit` checks into `cargo add` when adding a new registry dependency

### Notes

Inspired by [conversation on zulip about checking it in cargo](https://rust-lang.zulipchat.com/#narrow/stream/246057-t-cargo/topic/Check.20RustSec.20vulnerability.20database.20by.20default)

It looks like we

- [Fetch a repository](https://docs.rs/rustsec/0.25.1/rustsec/struct.Repository.html)
  - rustsec::repository::git::Repository::default_path
  - rustsec::repository::git::DEFAULT_URL
- [Load the database from repo](https://docs.rs/rustsec/0.25.1/rustsec/database/struct.Database.html)
- Run a query on the database
- Report it to the user ([example from cargo-audit](https://github.com/rustsec/rustsec/blob/8c28625ec849a0fc32c243ea07efd4b03ec891b3/cargo-audit/src/presenter.rs#L69))

We might be blocked on https://github.com/rustsec/rustsec/issues/490

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Warn about security advisories for cratres being added with `cargo add` #10654

epage
openedon May 11, 2022

Problem

Proposed Solution

Notes

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Warn about security advisories for cratres being added with cargo add #10654

Description

epageopenedon May 11, 2022