audit-check icon indicating copy to clipboard operation
audit-check copied to clipboard

Published 20 hours ago verified publisher icon actions-rs

feat: adds support for ignores

Open moliva opened this issue 3 years ago • 12 comments
trafficstars

  • Adds support for cargo audit --ignore
  • Configurable input by comma separated input string as GH Actions does not support sequences as inputs
  • Bumps version to 1.3.2
  • Adds .nvrm to Node v16 to avoid issue with envelope routines unsupported

Usage example:

jobs:
  security_audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - uses: moliva/[email protected]
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          ignore: "RUSTSEC-2020-0159, RUSTSEC-2020-0071"

This version can be used FTTB with this option installed: moliva/[email protected] .

moliva avatar May 10 '22 12:05 moliva

This would be a blast! There are several use cases where we'd like to ignore some smaller reported issues. An example is the chrono package which has a segmentation fault issue for a specific Linux distribution. But chrono is used in many packages as dependency and is not yet updated.

buehler avatar Jun 13 '22 14:06 buehler

Would it be possible to support the ignore syntax mentioned in https://github.com/actions-rs/audit-check/issues/223?

maujim avatar Jun 14 '22 16:06 maujim

Would it be possible to support the ignore syntax mentioned in #223?

The original implementation used this array/list format, but it seems GitHub Actions input doesn't support anything but strings (at least up to this point in time).

moliva avatar Jun 17 '22 12:06 moliva

Hi @svartalf -- any chance you could take a look at this PR?

djmitche avatar Jul 04 '22 19:07 djmitche

@moliva I think you need to add the new input to https://github.com/actions-rs/audit-check/blob/master/action.yml#L8 as well

Looks like this should probably work

inputs:
  token:
    description: GitHub Actions token
    required: true
  ignore:
    description: Comma-separated list of advisory ids to ignore
    required: false

matschaffer avatar Jul 20 '22 02:07 matschaffer

This would be really useful re: https://github.com/actions-rs/audit-check/issues/223 - any thing blocking this from getting merged?

0xAlcibiades avatar Jul 22 '22 19:07 0xAlcibiades

This repo seems pretty quiet. You all are welcome to depend on https://github.com/GothenburgBitFactory/audit-check in the interim, or of course you can fork the action yourself.

@matschaffer thanks - I can add that on the fork.

djmitche avatar Jul 23 '22 15:07 djmitche

Thanks @djmitche - seems to work a treat! https://github.com/matschaffer/zero2prod/runs/7492523985?check_suite_focus=true

matschaffer avatar Jul 25 '22 02:07 matschaffer

@moliva I think you need to add the new input to https://github.com/actions-rs/audit-check/blob/master/action.yml#L8 as well

Looks like this should probably work

inputs:
  token:
    description: GitHub Actions token
    required: true
  ignore:
    description: Comma-separated list of advisory ids to ignore
    required: false

Thanks @matschaffer , I wasn't aware of that file. This PR by itself is already working for me, I've been using it mostly because of chrono's potential issues, see here.

moliva avatar Aug 04 '22 22:08 moliva

So it turns out that .cargo/audit.toml can be used to ignore things, too -- I just had it in the wrong directory (fix in https://github.com/GothenburgBitFactory/taskwarrior/pull/2903). So the fork probably isn't necessary!

djmitche avatar Aug 06 '22 18:08 djmitche

Ooooh! nice find!

matschaffer avatar Aug 15 '22 01:08 matschaffer

There were a lot of outdated dependencies which have been brought relatively up to date at:

We've forked to rustsec/audit-check

Have also forked actions-rs/core to rinse-repeat/audit-rs-core

pinkforest avatar Mar 27 '23 14:03 pinkforest