Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 0 additions & 23 deletions .cargo/audit.toml

This file was deleted.

19 changes: 19 additions & 0 deletions deny.toml
Original file line number Diff line number Diff line change
@@ -1,9 +1,28 @@
[graph]
all-features = true

[advisories]
yanked = "deny"
unmaintained = "all"
unsound = "all"
ignore = [
# `rand` unsoundness when a custom logger re-enters `rand::rng()`/`thread_rng()`
# during ThreadRng reseeding. Firecracker is not affected:
# - uuid (1.23.0): does not enable `fast-rng` or `rng-rand` features, so it uses
# `getrandom` directly and never calls into rand.
# - proptest: uses rand 0.9 with `default-features = false` and does not enable
# the `thread_rng` feature, so the affected functions are not compiled in.
# See https://rustsec.org/advisories/RUSTSEC-2026-0097.html
"RUSTSEC-2026-0097",
]

[licenses]
version = 2
allow = [
"MIT",
"Apache-2.0",
"BSD-3-Clause",
"0BSD",
"ISC",
"Unicode-3.0"
]
Expand Down
44 changes: 31 additions & 13 deletions tests/integration_tests/security/test_sec_audit.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,12 @@

import pytest

from framework import utils
from framework.ab_test import (
git_ab_test_host_command_if_pr,
set_did_not_grow_comparator,
)
from framework.utils import CommandReturn
from framework.defs import FC_WORKSPACE_DIR
from framework.utils_cpuid import CpuVendor, get_cpu_vendor


Expand All @@ -23,19 +24,36 @@ def test_cargo_audit():
Run cargo audit to check for crates with security vulnerabilities.
"""

def set_of_vulnerabilities(output: CommandReturn):
output = json.loads(output.stdout)

return set(
frozenset(vulnerability)
for vulnerability in output["vulnerabilities"]["list"]
).union(
frozenset(warning)
for warning_kind, warnings in output["warnings"].items()
for warning in warnings
)
def set_of_vulnerabilities(output: utils.CommandReturn):
# The `stdout` will contain one `json` payload per line
findings = set()
for line in output.stderr.splitlines():
line = line.strip()
if not line:
continue
entry = json.loads(line)
# There is also `summary` type, which is of not interest for us
if entry["type"] != "diagnostic":
continue
fields = entry["fields"]
advisory = fields.get("advisory") or {}
# Identify a finding by its code, advisory id and affected crate;
# Findings without an advisory (e.g. yanked crates) fall back to
# the crate from the dependency graph.
krate = (fields.get("graphs") or [{}])[0].get("Krate", {})
findings.add(
(
fields.get("code"),
advisory.get("id"),
advisory.get("package") or krate.get("name"),
)
)
return findings

utils.run_cmd("cargo install --locked cargo-deny --debug")
Comment thread
ShadowCurse marked this conversation as resolved.
toml_file = FC_WORKSPACE_DIR / "Cargo.toml"

git_ab_test_host_command_if_pr(
"cargo install --locked cargo-audit && cargo audit --deny warnings -q --json",
f"cargo deny --manifest-path {toml_file} -f json check advisories",
comparator=set_did_not_grow_comparator(set_of_vulnerabilities),
)
Loading