cargo-geiger
cargo-geiger copied to clipboard
rust-secure-code
`WARNING: Dependency file was never scanned:...` errors
I'd like to run cargo-geiger as a stage in our CI, for information only. I've tried it out locally & on CI on a couple of our crates and I seem to always see WARNING: Dependency file was never scanned:... warnings, which cause the CI step to exit with 1, i.e. fail.
See example on CI here.
Tried running cargo update and cargo +nightly udeps to help rule out there being an outdated or unused dep in there but no difference/no unused deps.
Are you able to shed any light on why it's not scanning some dependency files?
Thanks for the report!
I'm guessing this could be related to procedural macros. The next step should be to create a minimal example project using rustversion that seems to be involved.
@S-Coyle GitHub returns
No check run found with ID 1443079338 for this pull request.
for the URL you posted. Does this warning still appear? I couldn't reproduce it locally on the latest commit of bls_signature_aggregator
@qrilka Thanks for taking a look - seems those warnings are not present any more 🎉 (new scan link here).
There's been minimal development in the linked crate I tested this on since I reported this issue last year, so I suspect the fix has come from the cargo-geiger end, great to see it working for me 😄
I assume it's ok to close this issue
@qrilka I'm reopening as I've just tried in another of our repos and I'm seeing 4 of the same WARNING: Dependency file was never scanned:... errors. See here for an up to date example
Update - tried in a selection of our other repos locally & seems the larger crates all fail with the warnings, while the simpler/smaller crates are usually fine.
Just to keep it here if GitHub will delete the action run above: it's commit e788f5587c3492a82d25e3c0ffa2effcc963c075 of https://github.com/maidsafe/sn_messaging and the lines with warning are:
0/0 13/13 0/0 0/0 0/0 ! ├── tiny-keccak 2.0.2
451
0/0 0/0 0/0 0/0 0/0 ? └── xor_name 1.1.11
452
[dev-dependencies]
453
WARNING: Dependency file was never scanned: /usr/share/rust/.cargo/registry/src/github.com-1ecc6299db9ec823/typenum-1.12.0/src/private.rs
454
WARNING: Dependency file was never scanned: /usr/share/rust/.cargo/registry/src/github.com-1ecc6299db9ec823/typenum-1.12.0/src/type_operators.rs
455
WARNING: Dependency file was never scanned: /usr/share/rust/.cargo/registry/src/github.com-1ecc6299db9ec823/typenum-1.12.0/src/uint.rs
456
WARNING: Dependency file was never scanned: /usr/share/rust/.cargo/registry/src/github.com-1ecc6299db9ec823/base-x-0.2.8/src/decoder.rs
457
0/14 0/364 0/2 0/0 0/11 ? ├── anyhow 1.0.38
458
0/0 6/6 0/0 0/0 0/0 ! └── rand_xorshift 0.2.0
#119 seems to be also valid in this case :)
I'm getting this error with cargo-geiger built from source today (commit 8d1a2647a6a37acffa2261ce494397f4fd5691a2) running on a project that uses rustls:
+ cargo geiger --update-readme --readme-path Readme.md.tmp --output-format GitHubMarkdown
Compiling cc v1.0.67
Checking spin v0.5.2
Checking untrusted v0.7.1
Compiling log v0.4.14
Checking cfg-if v1.0.0
Checking base64 v0.13.0
Checking rustls-pemfile v0.2.0
Compiling ring v0.16.20
Checking webpki v0.21.4
Checking sct v0.6.0
Checking rustls v0.19.0
Checking ...
Finished dev [unoptimized + debuginfo] target(s) in 10.00s
Scanning done
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-ecdsa-p256.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-ed25519.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-rsa-encryption.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-rsa-pkcs1-sha512.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-ecdsa-p384.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-rsa-pss-sha512.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/ring-0.16.20/src/ec/suite_b/ecdsa/ecPublicKey_p256_pkcs8_v1_template.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/ring-0.16.20/src/ec/suite_b/ecdsa/ecPublicKey_p384_pkcs8_v1_template.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-rsa-pkcs1-sha384.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-ecdsa-sha256.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-rsa-pss-sha256.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/ring-0.16.20/src/ec/curve25519/ed25519/ed25519_pkcs8_v2_template.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-ecdsa-sha384.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-rsa-pkcs1-sha256.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/ring-0.16.20/src/data/alg-rsa-encryption.der
WARNING: Dependency file was never scanned: /Users/user/.cargo/registry/src/github.com-1ecc6299db9ec823/webpki-0.21.4/src/data/alg-rsa-pss-sha384.der
error: Found 16 warnings
Things have changed a bit over a year -
However -
Just sum summarum from current state here - two different errors right now -
- First is code that should be perhaps included or not included and
- Second is about geiger for some reason including the DER data files which we may be able to prevent as it's not code.
Not getting any warnings on maidsafe/bls_signature_aggregator w/ current 0.11.2 or git version to replicate
repro
docker run -ti --rm rust /bin/bash
cargo install cargo-geiger --git https://github.com/rust-secure-code/cargo-geiger --force
mkdir app ; cd app
git clone <repo> .
cargo geiger
Meanwhile for maidsafe/sn_messaging (I had to bump dbg that was using unavailable aes dep) gives error on base-x crate which comes via multibase dependency (real e.g. non-build/dev dep)
Finished dev [unoptimized + debuginfo] target(s) in 18.21s
Failed to parse file: /usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/base-x-0.2.8/src/decoder.rs, Syn(Error("expected one of: `::`, `<`, `_`, literal, `const`, `ref`, `mut`, `&`, parentheses, square brackets, `..`, `const`"), "/usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/base-x-0.2.8/src/decoder.rs")
Scanning done
WARNING: Dependency file was never scanned: /usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/base-x-0.2.8/src/decoder.rs
It might be something to do with this
Updating crates.io index
Compiling base-x v0.2.8 (/app)
warning: anonymous parameters are deprecated and will be removed in the next edition
--> src/decoder.rs:16:13
|
16 | fn iter(&'a str) -> Self::Iter;
| ^^^^^^^ help: try naming the parameter or explicitly ignoring it: `_: &'a str`
|
= note: `#[warn(anonymous_parameters)]` on by default
= warning: this is accepted in the current edition (Rust 2015) but is a hard error in Rust 2018!
= note: for more information, see issue #41686 <https://github.com/rust-lang/rust/issues/41686>
warning: anonymous parameters are deprecated and will be removed in the next edition
--> src/decoder.rs:17:21
|
17 | fn carry(&self, <Self::Iter as std::iter::Iterator>::Item) -> Option<u32>;
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ help: try naming the parameter or explicitly ignoring it: `_: <Self::Iter as std::iter::Iterator>::Item`
|
= warning: this is accepted in the current edition (Rust 2015) but is a hard error in Rust 2018!
= note: for more information, see issue #41686 <https://github.com/rust-lang/rust/issues/41686>
warning: `base-x` (lib) generated 2 warnings
Finished dev [unoptimized + debuginfo] target(s) in 1.43s
Actions To Resolve
- [ ] Figure out what to do with base-x compile warnings whether this messes up things
- [ ] See if we can remove warnings from .DER data files and whether this is feasible
- [ ] Document expectations what/what not on Warnings
- [ ] Improve Warnings reporting in general (Next Major version)
@mleonhard if you could - we could have the .DER issue separately "DER Data files Warning" if you want to raise or I can just comment progress here - thanks a lot :purple_heart:
I'm getting this error, and it's not related to DER files, exactly what does it mean (I've read the comments and am none the wiser)?
$ cargo geiger --all-dependencies
Checking reverse_string v1.2.0 (SCRUBBED/reverse-string)
Finished dev [unoptimized + debuginfo] target(s) in 0.16s
Scanning done
WARNING: Dependency file was never scanned: SCRUBBED/.cargo/registry/src/github.com-1ecc6299db9ec823/unicode-segmentation-1.9.0/src/word.rs
WARNING: Dependency file was never scanned: SCRUBBED/.cargo/registry/src/github.com-1ecc6299db9ec823/unicode-segmentation-1.9.0/src/tables.rs
WARNING: Dependency file was never scanned: SCRUBBED/.cargo/registry/src/github.com-1ecc6299db9ec823/unicode-reverse-1.0.8/src/lib.rs
WARNING: Dependency file was never scanned: SCRUBBED/.cargo/registry/src/github.com-1ecc6299db9ec823/unicode-segmentation-1.9.0/src/grapheme.rs
WARNING: Dependency file was never scanned: SCRUBBED/.cargo/registry/src/github.com-1ecc6299db9ec823/unicode-segmentation-1.9.0/src/sentence.rs
WARNING: Dependency file was never scanned: SCRUBBED/.cargo/registry/src/github.com-1ecc6299db9ec823/unicode-segmentation-1.9.0/src/lib.rs
I have the reproduction at hand, since this is a small exercism.io project.
