cargo-deny icon indicating copy to clipboard operation
cargo-deny copied to clipboard
verified publisher icon EmbarkStudios

Bug: bans.build allow-build-scripts error does not show computed hash when using non-default build script path

Open tv42 opened this issue 9 months ago • 1 comments

Describe the bug

Normally cargo deny check ban outputs error with the computed hash, for easy copy-pasting. When a crate uses a non-default build = in its Cargo.toml, this does not happen.

To reproduce

Normal case (I've intentionally corrupted the hash to trigger this error):

$ cargo deny check ban --hide-inclusion-graph
warning[checksum-mismatch]: file did not match the expected checksum
   ┌─ /blah/deny.toml:31:17
   │
31 │ build-script = "baf4e7f4b6b69ebf659ab35a8324d5dcdeb06209c35fef9ebe1d1035d8c48454"
   │                 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ expected checksum
   │
   ├ path = '$CARGO_HOME/registry/src/index.crates.io-1949cf8c6b5b557f/aws-lc-rs-1.13.1/build.rs'
   ├ error = build script failed checksum: checksum mismatch, calculated baf4e7f4b6b69ebf659ab35a8324d5dcdeb06209c35fef9ebe1d1035d8c48455

error[build-script-not-allowed]: crate 'aws-lc-rs = 1.13.1' has a build script but is not allowed to have on

Weird case:

$ cargo deny check ban
error[build-script-not-allowed]: crate 'aws-lc-sys = 0.29.0' has a build script but is not allowed to have one
$ grep ^build ~/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/aws-lc-sys-0.29.0/Cargo.toml
build = "builder/main.rs"

cargo-deny version

cargo-deny 0.18.2

What OS were you running cargo-deny on?

Linux

Additional context

No response

tv42 avatar May 13 '25 20:05 tv42

Even if I get the sha256 myself, it never matches.

[[bans.build.bypass]]
crate = "aws-lc-sys"
build-script = "e8e389f69f556256f9c00702ead273e942c35aca823274d2e305dcd2f7d6b9ea"

$ cargo deny check ban --hide-inclusion-graph
error[build-script-not-allowed]: crate 'aws-lc-sys = 0.29.0' has a build script but is not allowed to have one
bans FAILED
$ sha256sum ~/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/aws-lc-sys-0.29.0/builder/main.rs
e8e389f69f556256f9c00702ead273e942c35aca823274d2e305dcd2f7d6b9ea  /blah/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/aws-lc-sys-0.29.0/builder/main.rs

I guess in this case that's a good thing, because that's a full crate with modules, and the hash would only cover one file. But the error behavior could definitely be better!

tv42 avatar May 13 '25 20:05 tv42