Often audit hits a dependency that is way below dependency tree and simple task such as including cargo tree graph in the issue could be beneficial as many don't understand the complexity of transient dependencies and what the downstream project can do who might be consumer several crates down.

If you use the action rustsec/audit-check in the workflow github will show you the warning

Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20

It will be great if you can updated to node 20

Could a way to pass arguments to the invocation be added? A way to enable flags like -Dunsound without a configuration file would be great.

Alternatively, maybe something like RUSTSECFLAGS=-Dyanked would be workable

I have a polyglot project with a backend in rust under ./backend and a frontend in elm. The project does not have a Cargo.toml or Cargo.lock in the project root. This causes the action to fail.

For other actions, I can overwrite the working-directory to fix this problem:

defaults:
  run:
    working-directory: backend

It would be nice to have an option for the audit action to run in a subdirectory.

Currently if a crate has both unmaintained and unsound we raise two issues

It should be an issue per crate combined all the outstanding advisories

We are also consuming API query per advisory when checking if one already exists which is sub-optimal

This is due to using the REST API

Check if with GraphQL via octokit we could reduce this to one query

Copying actions-rs#163 to this fork.

Description

This action calls cargo generate-lockfile, which overwrites Cargo.lock according to cargo docs¹

This command will create the Cargo.lock lockfile for the current package or workspace. If the lockfile already exists, it will be rebuilt with the latest available version of every package.

This negates the purpose of having a checked-in lockfile.

Proposed Fix

actions-rs#163 (comment)

Rather than call cargo generate-lockfile, call cargo metadata --format-version=1 >/dev/null instead.

I'm feeling dopey: I changed a project (https://github.com/richb-hanover/prql/blob/main/.github/workflows/nightly.yaml) to use rustsec/[email protected]. I did this to get away from the "Node16" warning from my previous action.

But I'm still getting this warning:

cargo-audit
Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: rustsec/[email protected]. For more information see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/.

What am I missing? Thanks

PS @clechasseur - any thoughts on this? I see you made the PR to update to Node20... Thanks again.

I've noticed that occasionally, this action will fail but re-running seems to result in success:

Failure: 
https://github.com/microsoft/windows-drivers-rs/actions/runs/7647254535/job/20837787535?pr=78

Success:
https://github.com/microsoft/windows-drivers-rs/actions/runs/7647254535/job/20837822606?pr=78

Error:

Calling cargo-audit (JSON output)
  C:\Users\runneradmin\.cargo\bin\cargo.exe audit --json
  2024-01-24T22:51:25.296515Z  WARN hyper::client::connect::http: tcp set_nodelay error: An invalid argument was supplied. (os error 10022)
  2024-01-24T22:51:25.300736Z  WARN hyper::client::connect::http: tcp set_nodelay error: An invalid argument was supplied. (os error 10022)
  {"database":{"advisory-count":595,"last-commit":"1d2202ea2b32fabd3307641010301bfe1[8](https://github.com/microsoft/windows-drivers-rs/actions/runs/7647254535/job/20837787535?pr=78#step:3:9)7ef11a","last-updated":"2024-01-24T17:00:4[9](https://github.com/microsoft/windows-drivers-rs/actions/runs/7647254535/job/20837787535?pr=78#step:3:10)Z"},"lockfile":{"dependency-count":1[10](https://github.com/microsoft/windows-drivers-rs/actions/runs/7647254535/job/20837787535?pr=78#step:3:11)},"settings":{"target_arch":null,"target_os":null,"severity":null,"ignore":[],"informational_warnings":["unmaintained","unsound","notice"]},"vulnerabilities":{"found":false,"count":0,"list":[]},"warnings":{}}
Error: Unexpected token � in JSON at position 0

First of all, thanks for taking over the action ❤️

We started seeing this warning in CI and i guess it's caused by rustsec/rustsec#819 ?
I tried to fix it myself but i have no knowledge about cargo-audit nor the action so that didn't end well 😅

Thanks again :)

This is not a Rust crate, but tooling used by many Rust projects. Is this correct place to discuss and maybe take action on informing community about the issue?

The actions-rs GitHub Actions from GitHub (https://github.com/actions-rs) is used by many Rust projects.

However, the actions don't see much love, there's discussion about the maintenance status here: actions-rs/meta#43

As these actions are not maintained a known vulnerabilities might start to pile up and things might start to break because GitHub is deprecating support for some thing (e.g. actions-rs#227).

Pinging @svartalf since he's the (only?) owner of the GitHub organization.