audit-check icon indicating copy to clipboard operation
audit-check copied to clipboard

Published 20 hours ago verified publisher icon actions-rs

Bad semver parsing?

Open shekohex opened this issue 4 years ago • 2 comments

Do the checklist before filing an issue:

  • [ ] Is this related to the actions-rs Actions? If you think it's a problem related to Github Actions in general, use GitHub Community forum instead: https://github.community
  • [x] You've read the Contributing section about bugs reporting: https://github.com/actions-rs/.github/blob/master/CONTRIBUTING.md#reporting-bugs
  • [ ] Is this something you can debug and fix? Send a pull request! Bug fixes and documentation fixes are welcome.

Description

audit-check or cargo-audit does not parse the semver of x.x.x-beta.x versions correctly?

Workflow code

name: Security Audit

on:
  schedule:
    - cron: '0 0 * * *'
  push:
    paths:
      - '**/Cargo.toml'
      - '**/Cargo.lock'
  pull_request:

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2

      - uses: actions-rs/audit-check@v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

Action output

I got this issue opened by github-actions user:

Multiple memory safety issues

Details
Package actix-web
Version 4.0.0-beta.1
URL https://github.com/actix/actix-web/issues/289
Date 2018-06-08
Patched versions >=0.7.15

Affected versions contain multiple memory safety issues, such as:

  • Unsoundly coercing immutable references to mutable references
  • Unsoundly extending lifetimes of strings
  • Adding the Send marker trait to objects that cannot be safely sent between threads

This may result in a variety of memory corruption scenarios, most likely use-after-free.

A signficant refactoring effort has been conducted to resolve these issues.

See advisory page for additional details.

Expected behavior

Notice the version of actix-web I use? it is 4.0.0-beta.1 and this bug is patched and fixed like 3 years ago! version 0.7.15.

it should not report a bug

Additional context

I'm not sure, but the problem is the code is private .. So I could only share a subset of it. Also, feel free to guide me to open the same issue at another repo if it is not related to audit-check action.

shekohex avatar Jan 29 '21 11:01 shekohex

This is a bug in cargo-audit, tracked in https://github.com/RustSec/rustsec/issues/300. It was fixed in v0.15 of cargo-audit.

mhutter avatar Jul 04 '21 19:07 mhutter

Is there a way to use the latest version of cargo-audit in this action?

Rydgel avatar Sep 07 '21 09:09 Rydgel