rustsec
rustsec copied to clipboard
Published
20 hours ago •
rustsec
rustsec
cargo audit crashes with "invalid Cargo.lock dependency tree: ..."
cargo-audit 0.20.0 crashes when run on the master branch of the Nix repository. The problem seems to be that the master branch uses a git dependency, and specifies a git branch rather than a revision. But this problem is only reproducible when cargo-audit is built in a way that honors the Cargo.lock file. Doing a cargo install ignores Cargo.lock, and the resulting binary works. Both 0.20.0 and the main branch are affected. Both rust nightly and rust 1.77.0 are affected, though the 0.20.0 branch doesn't compile with rust nightly.
Steps to reproduce:
$ git clone [email protected]:nix-rust/nix.git
$ git clone [email protected]:rustsec/rustsec.git
$ cd rustsec/cargo-audit
$ git checkout cargo-audit/v0.20.0 # optional
$ cargo +1.77.0 run -- audit -f ../../nix/Cargo.lock
Finished dev [unoptimized + debuginfo] target(s) in 0.43s
Running `/usr/home/somers/src/rust/rustsec/target/debug/cargo-audit audit -f ../../nix/Cargo.lock`
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
Loaded 647 security advisories (from /home/somers/.cargo/advisory-db)
Updating crates.io index
Scanning ../../nix/Cargo.lock for vulnerabilities (55 crate dependencies)
The application panicked (crashed).
Message: invalid Cargo.lock dependency tree: Resolution("failed to find dependency: libc 0.2.156 (git+https://github.com/rust-lang/libc?branch=libc-0.2)")
Location: cargo-audit/src/presenter.rs:114
Backtrace omitted. Run with RUST_BACKTRACE=1 environment variable to display it.
Run with RUST_BACKTRACE=full to include source snippets.
