From 59ea63710e4f0fb248384a6bd11fb0ccc0e0da68 Mon Sep 17 00:00:00 2001
From: Tony Arcieri <bascule@gmail.com>
Date: Sun, 13 Jan 2019 17:31:01 -0800
Subject: [PATCH 1/4] README.md: Bump maintained date

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 78cdab1..4d9b9f9 100644
--- a/README.md
+++ b/README.md
@@ -1,12 +1,12 @@
 # RustSec Advisory Database
 
 [![Build Status][build-image]][build-link]
-![Maintained][maintained-image]
+![Maintained: Q1 2019][maintained-image]
 [![Gitter Chat][gitter-image]][gitter-link]
 
 [build-image]: https://travis-ci.org/RustSec/advisory-db.svg?branch=master
 [build-link]: https://travis-ci.org/RustSec/advisory-db
-[maintained-image]: https://img.shields.io/maintenance/yes/2018.svg
+[maintained-image]: https://img.shields.io/maintenance/yes/2019.svg
 [gitter-image]: https://badges.gitter.im/badge.svg
 [gitter-link]: https://gitter.im/RustSec/Lobby
 

From 782efebde9a4204a1bf330460223401fb5522153 Mon Sep 17 00:00:00 2001
From: Tony Arcieri <bascule@gmail.com>
Date: Sun, 13 Jan 2019 17:31:25 -0800
Subject: [PATCH 2/4] Revert "Add affected functions to legacy security
 warnings (#83)"

This reverts commit 0a981e2b6f3c8aeaaaa194989d8d3e4a53e3c199.

These now need to use the new `affected_paths` attribute, which has a
different (VersionReq-bucketed) format.
---
 crates/base64/RUSTSEC-2017-0004.toml    | 1 -
 crates/hyper/RUSTSEC-2017-0002.toml     | 1 -
 crates/smallvec/RUSTSEC-2018-0003.toml  | 1 -
 crates/tar/RUSTSEC-2018-0002.toml       | 1 -
 crates/untrusted/RUSTSEC-2018-0001.toml | 1 -
 5 files changed, 5 deletions(-)

diff --git a/crates/base64/RUSTSEC-2017-0004.toml b/crates/base64/RUSTSEC-2017-0004.toml
index a352b15..f32858a 100644
--- a/crates/base64/RUSTSEC-2017-0004.toml
+++ b/crates/base64/RUSTSEC-2017-0004.toml
@@ -19,4 +19,3 @@ and possibly the execution of arbitrary code.
 This flaw was corrected by using checked arithmetic to calculate
 the size of the buffer.
 """
-affected_functions = ["base64::encode_config","base64::encode_config_buf"]
diff --git a/crates/hyper/RUSTSEC-2017-0002.toml b/crates/hyper/RUSTSEC-2017-0002.toml
index 92e2c60..b24b9aa 100644
--- a/crates/hyper/RUSTSEC-2017-0002.toml
+++ b/crates/hyper/RUSTSEC-2017-0002.toml
@@ -14,4 +14,3 @@ is if an application constructs headers based on unsanitized user input.
 This issue was fixed by replacing all newline characters with a space during serialization of
 a header value.
 """
-affected_functions = ["hyper::header::Headers::set"]
diff --git a/crates/smallvec/RUSTSEC-2018-0003.toml b/crates/smallvec/RUSTSEC-2018-0003.toml
index c22e363..836cdb1 100644
--- a/crates/smallvec/RUSTSEC-2018-0003.toml
+++ b/crates/smallvec/RUSTSEC-2018-0003.toml
@@ -20,4 +20,3 @@ they will not be dropped more than once.
 
 Thank you to @Vurich for reporting this bug.
 """
-affected_functions = ["smallvec::SmallVec::insert_many"]
diff --git a/crates/tar/RUSTSEC-2018-0002.toml b/crates/tar/RUSTSEC-2018-0002.toml
index 63979dc..c1f551d 100644
--- a/crates/tar/RUSTSEC-2018-0002.toml
+++ b/crates/tar/RUSTSEC-2018-0002.toml
@@ -23,4 +23,3 @@ This has been fixed in https://github.com/alexcrichton/tar-rs/pull/156 and is
 published as `tar` 0.4.16. Thanks to Max Justicz for discovering this and
 emailing about the issue!
 """
-affected_functions = ["tar::Entry::unpack_in"]
diff --git a/crates/untrusted/RUSTSEC-2018-0001.toml b/crates/untrusted/RUSTSEC-2018-0001.toml
index 70b8d7e..fcd1b83 100644
--- a/crates/untrusted/RUSTSEC-2018-0001.toml
+++ b/crates/untrusted/RUSTSEC-2018-0001.toml
@@ -20,4 +20,3 @@ The error in untrusted is fixed in release 0.6.2 released 2018-06-21. It's also
 advisable that users of untrusted check for their sources for cases where errors
 returned by untrusted are not handled correctly.
 """
-affected_functions = ["untrusted::Reader::skip_and_get_input"]

From 927a5e314b97eccb984476d88dced3fae50b52fc Mon Sep 17 00:00:00 2001
From: Tony Arcieri <bascule@gmail.com>
Date: Sun, 13 Jan 2019 17:49:20 -0800
Subject: [PATCH 3/4] Update to 'rustsec' crate v0.11

---
 Cargo.toml  | 19 ++++++++-----------
 src/main.rs | 16 +++++++---------
 2 files changed, 15 insertions(+), 20 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index 6df4365..9747403 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,19 +1,16 @@
 [package]
-name = "rustsec-advisory-db"
+name        = "rustsec-advisory-db"
 description = "Security advisory database for Rust crates published through crates.io"
-version = "0.0.0"
-authors = ["Tony Arcieri <bascule@gmail.com>"]
-license-file = "LICENSE.txt"
-repository = "https://github.com/rustsec/advisory-db"
-documentation = "https://github.com/rustsec/advisory-db"
-categories = ["api-bindings", "development-tools"]
-keywords = ["rustsec", "security", "advisory", "vulnerability"]
+version     = "0.0.0"
+authors     = ["Tony Arcieri <bascule@gmail.com>"]
+edition     = "2018"
+publish     = false
 
 [[bin]]
 name = "rustsec-advisory-db"
 
 [dependencies]
-gumdrop = "0.4"
-gumdrop_derive = "0.4"
-rustsec = "0.10"
+gumdrop = "0.5"
+gumdrop_derive = "0.5"
+rustsec = "0.11"
 crates_io_api = "0.3"
diff --git a/src/main.rs b/src/main.rs
index f694059..209eea4 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,8 +1,4 @@
-extern crate crates_io_api;
-extern crate gumdrop;
-#[macro_use]
-extern crate gumdrop_derive;
-extern crate rustsec;
+#![allow(clippy::never_loop)]
 
 use gumdrop::Options;
 use rustsec::{AdvisoryDatabase, Repository};
@@ -93,10 +89,12 @@ fn check() {
 fn check_advisory(cratesio_client: &crates_io_api::SyncClient, advisory: &rustsec::Advisory) {
     let response = cratesio_client
         .get_crate(advisory.package.as_str())
-        .expect(&format!(
-            "Failed to get package from crates.io: {}",
-            advisory.package.as_str()
-        ));
+        .unwrap_or_else(|_| {
+            panic!(
+                "Failed to get package from crates.io: {}",
+                advisory.package.as_str()
+            )
+        });
 
     if response.crate_data.name != advisory.package.as_str() {
         panic!(

From cb4f7d11af74aa794daade03286a8f9700e1ac0b Mon Sep 17 00:00:00 2001
From: Tony Arcieri <bascule@gmail.com>
Date: Sun, 13 Jan 2019 17:50:37 -0800
Subject: [PATCH 4/4] lint: Check that affected_paths start with crate name

Uses the crate name as fetched from the crates.io API to ensure all
`affected_paths` begin with the crate name (i.e. are canonical)
---
 .travis.yml |  5 ++++-
 src/main.rs | 15 +++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index e6e05dc..0ed1e1e 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,5 +1,8 @@
 language: rust
-script: cargo run check # check that the advisory-db is well-formed
+cache: cargo
+
+# check that the advisory-db is well-formed
+script: cargo run check
 
 branches:
   only:
diff --git a/src/main.rs b/src/main.rs
index 209eea4..04562bc 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -102,4 +102,19 @@ fn check_advisory(cratesio_client: &crates_io_api::SyncClient, advisory: &rustse
             advisory.package.as_str()
         );
     }
+
+    // Check that each path in `affected_paths` starts with the crate name
+    if let Some(ref version_req_paths) = advisory.affected_paths {
+        for (_, paths) in version_req_paths.iter() {
+            for path in paths {
+                if path.crate_name() != response.crate_data.name {
+                    panic!(
+                        "{}: affected_path does not begin with crate name: {}",
+                        response.crate_data.name,
+                        path.crate_name()
+                    )
+                }
+            }
+        }
+    }
 }