Merge pull request #86 from RustSec/rustsec/v0.11.0

Update to 'rustsec' crate v0.11
2026-01-18 09:24:34 +01:00 · 2019-01-13 18:00:45 -08:00
parent ced185dcc3 cb4f7d11af
commit 7005341641
9 changed files with 36 additions and 28 deletions
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,5 +1,8 @@
 language: rust
-script: cargo run check # check that the advisory-db is well-formed
+cache: cargo
+
+# check that the advisory-db is well-formed
+script: cargo run check

 branches:
  only:
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,19 +1,16 @@
 [package]
-name = "rustsec-advisory-db"
+name        = "rustsec-advisory-db"
 description = "Security advisory database for Rust crates published through crates.io"
-version = "0.0.0"
-authors = ["Tony Arcieri <bascule@gmail.com>"]
-license-file = "LICENSE.txt"
-repository = "https://github.com/rustsec/advisory-db"
-documentation = "https://github.com/rustsec/advisory-db"
-categories = ["api-bindings", "development-tools"]
-keywords = ["rustsec", "security", "advisory", "vulnerability"]
+version     = "0.0.0"
+authors     = ["Tony Arcieri <bascule@gmail.com>"]
+edition     = "2018"
+publish     = false

 [[bin]]
 name = "rustsec-advisory-db"

 [dependencies]
-gumdrop = "0.4"
-gumdrop_derive = "0.4"
-rustsec = "0.10"
+gumdrop = "0.5"
+gumdrop_derive = "0.5"
+rustsec = "0.11"
 crates_io_api = "0.3"
--- a/README.md
+++ b/README.md
@@ -1,12 +1,12 @@
 # RustSec Advisory Database

 [![Build Status][build-image]][build-link]
-![Maintained][maintained-image]
+![Maintained: Q1 2019][maintained-image]
 [![Gitter Chat][gitter-image]][gitter-link]

 [build-image]: https://travis-ci.org/RustSec/advisory-db.svg?branch=master
 [build-link]: https://travis-ci.org/RustSec/advisory-db
-[maintained-image]: https://img.shields.io/maintenance/yes/2018.svg
+[maintained-image]: https://img.shields.io/maintenance/yes/2019.svg
 [gitter-image]: https://badges.gitter.im/badge.svg
 [gitter-link]: https://gitter.im/RustSec/Lobby

--- a/crates/base64/RUSTSEC-2017-0004.toml
+++ b/crates/base64/RUSTSEC-2017-0004.toml
@@ -19,4 +19,3 @@ and possibly the execution of arbitrary code.
 This flaw was corrected by using checked arithmetic to calculate
 the size of the buffer.
 """
-affected_functions = ["base64::encode_config","base64::encode_config_buf"]
--- a/crates/hyper/RUSTSEC-2017-0002.toml
+++ b/crates/hyper/RUSTSEC-2017-0002.toml
@@ -14,4 +14,3 @@ is if an application constructs headers based on unsanitized user input.
 This issue was fixed by replacing all newline characters with a space during serialization of
 a header value.
 """
-affected_functions = ["hyper::header::Headers::set"]
--- a/crates/smallvec/RUSTSEC-2018-0003.toml
+++ b/crates/smallvec/RUSTSEC-2018-0003.toml
@@ -20,4 +20,3 @@ they will not be dropped more than once.

 Thank you to @Vurich for reporting this bug.
 """
-affected_functions = ["smallvec::SmallVec::insert_many"]
--- a/crates/tar/RUSTSEC-2018-0002.toml
+++ b/crates/tar/RUSTSEC-2018-0002.toml
@@ -23,4 +23,3 @@ This has been fixed in https://github.com/alexcrichton/tar-rs/pull/156 and is
 published as `tar` 0.4.16. Thanks to Max Justicz for discovering this and
 emailing about the issue!
 """
-affected_functions = ["tar::Entry::unpack_in"]
--- a/crates/untrusted/RUSTSEC-2018-0001.toml
+++ b/crates/untrusted/RUSTSEC-2018-0001.toml
@@ -20,4 +20,3 @@ The error in untrusted is fixed in release 0.6.2 released 2018-06-21. It's also
 advisable that users of untrusted check for their sources for cases where errors
 returned by untrusted are not handled correctly.
 """
-affected_functions = ["untrusted::Reader::skip_and_get_input"]
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,8 +1,4 @@
-extern crate crates_io_api;
-extern crate gumdrop;
-#[macro_use]
-extern crate gumdrop_derive;
-extern crate rustsec;
+#![allow(clippy::never_loop)]

 use gumdrop::Options;
 use rustsec::{AdvisoryDatabase, Repository};
@@ -93,10 +89,12 @@ fn check() {
 fn check_advisory(cratesio_client: &crates_io_api::SyncClient, advisory: &rustsec::Advisory) {
    let response = cratesio_client
        .get_crate(advisory.package.as_str())
-        .expect(&format!(
-            "Failed to get package from crates.io: {}",
-            advisory.package.as_str()
-        ));
+        .unwrap_or_else(|_| {
+            panic!(
+                "Failed to get package from crates.io: {}",
+                advisory.package.as_str()
+            )
+        });

    if response.crate_data.name != advisory.package.as_str() {
        panic!(
@@ -104,4 +102,19 @@ fn check_advisory(cratesio_client: &crates_io_api::SyncClient, advisory: &rustse
            advisory.package.as_str()
        );
    }
+
+    // Check that each path in `affected_paths` starts with the crate name
+    if let Some(ref version_req_paths) = advisory.affected_paths {
+        for (_, paths) in version_req_paths.iter() {
+            for path in paths {
+                if path.crate_name() != response.crate_data.name {
+                    panic!(
+                        "{}: affected_path does not begin with crate name: {}",
+                        response.crate_data.name,
+                        path.crate_name()
+                    )
+                }
+            }
+        }
+    }
 }