rustsec

rustsec copied to clipboard

Hello!

We are switching to use a private registry alongside crates.io. The private registry (CloudSmith) is using HTTP basic authentication, but cargo audit does not seem to support it:

#!/bin/bash -eo pipefail
cargo audit

    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 113 security advisories (from /usr/local/cargo/advisory-db)
    Updating crates.io index
warning: couldn't update crates.io index: registry: authentication required but no callback set; class=Ssh (23)
    Updating crates.io index
    Updating `https://dl.cloudsmith.io/basic/XXX/XXX/cargo/index.git` index
error: failed to get `XXX` as a dependency of package `XXX v0.3.1 (/home/circleci/project/src/pubsub)`

Caused by:
  failed to load source for dependency `XXX`

Caused by:
  Unable to update registry `https://dl.cloudsmith.io/basic/XXX/XXX/cargo/index.git`

Caused by:
  failed to fetch `https://dl.cloudsmith.io/basic/XXX/XXX/cargo/index.git`

Caused by:
  failed to authenticate when downloading repository

  * attempted to find username/password via `credential.helper`, but maybe the found credentials were incorrect

  if the git CLI succeeds then `net.git-fetch-with-cli` may help here
  https://doc.rust-lang.org/cargo/reference/config.html#netgit-fetch-with-cli

Caused by:
  server requires authentication that we do not support; class=Http (34)

I can't find any documentation around the type of auth that cargo-audit supports at the moment - can you help me here? Related: would you be interested in supporting HTTP Basic auth (e.g. if we wanted to contribute a patch)?

I think this might be related to the crates_index crate? It'd be good to narrow that down first.

Sure, let me do some more investigation :+1: