In theory this advisory should trigger this feature of `cargo-audit`
which checks for advisories filed against the `rustsec` crate:
https://github.com/RustSec/cargo-audit/blob/783f221/src/auditor.rs#L178-L199
After merging, I will test with an older `cargo-audit` version to see if
it has the intended effect.
`cargo-deny` is an awesome tool, it seems to be the superset of `cargo-audit`. I think it is reasonable to mention it here along with `cargo-audit`.
cc @Jake-Shadle
As announced in #228, this commit migrates all advisories to the new V2
format, which splits version information into a separate section, and
now has a structure which corresponds to the internal code structure of
the `rustsec` crate.
This is a breaking change for users of `cargo-audit` < 0.9, and anyone
who has written a 3rd party advisory format parser.
This is largely to work around the following:
```
$ cargo audit
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
error: couldn't fetch advisory database: git operation failed: no signature on commit 0a981e2b6f: Add affected functions to legacy security warnings (#83) (Moritz Beller <Inventitech@users.noreply.github.com>)
```
I tried to Squash-and-Merge on #83. GitHub does not sign the resulting
commit. Oops.
So this commit is just to make HEAD a GitHub-signed merge commit.
These are new attributes as of `rustsec` crate v0.9.0 which use enums
from the `platforms` crate to represent CPU architectures and operating
systems.
This replaces the previous `affected_platforms` attribute (only used in
one advisory)
Nobody knows what "dwf" is, and the data isn't presently consumed or
surfaced by the `rustsec` crate, so we (hopefully) can rename it without
breaking anything.
Cargo uses "package" in Cargo.lock, so there is wisdom to using "package"
instead of "crate_name"
This reverts commit 986c090c06, reversing
changes made to 9556f0fdee.
The correct name for a Rust package is a "crate", so something with "crate" is
less ambiguous than "package".
However, "crate" itself is a Rust keyword. To avoid clashes in Rust code which
uses this same attribute name, "crate_name" can be used instead unambigously.
Taking a cue from RubySec, this splits the original "versions" attribute into
separate ones for versions which were never vulnerable, and ones which include
an explicit fix for a vulnerability.
This is using the TOML format described in the (presently open) initial RustSec
RFC for security advisories described here:
https://github.com/RustSec/rfcs/pull/1
