You are viewing a plain text version of this content. The canonical link for it is here.
Posted to github@arrow.apache.org by "Jefffrey (via GitHub)" <gi...@apache.org> on 2023/12/02 09:56:44 UTC
[PR] ci: Add cargo audit CI action [arrow-rs]
Jefffrey opened a new pull request, #5160:
URL: https://github.com/apache/arrow-rs/pull/5160
# Which issue does this PR close?
<!--
We generally require a GitHub issue to be filed for all bug fixes and enhancements and this helps us generate change logs for our releases. You can link an issue to this PR using the GitHub syntax. For example `Closes #123` indicates that this PR will close issue #123.
-->
Closes #57
# Rationale for this change
<!--
Why are you proposing this change? If this is already explained clearly in the issue then this section is not needed.
Explaining clearly why changes are proposed helps reviewers understand your changes and offer better suggestions for fixes.
-->
Audit dependencies for security vulns
# What changes are included in this PR?
<!--
There is no need to duplicate the description in the issue here but it is sometimes worth providing a summary of the individual changes in this PR.
-->
Use [audit-check](https://github.com/rustsec/audit-check) action in new CI step
# Are there any user-facing changes?
<!--
If there are user-facing changes then we may require documentation to be updated before approving the PR.
-->
<!---
If there are any breaking changes to public APIs, please add the `breaking change` label.
-->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [PR] ci: Add cargo audit CI action [arrow-rs]
Posted by "Jefffrey (via GitHub)" <gi...@apache.org>.
Jefffrey commented on code in PR #5160:
URL: https://github.com/apache/arrow-rs/pull/5160#discussion_r1415540561
##########
.github/workflows/audit.yml:
##########
@@ -0,0 +1,44 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+name: audit
+
+concurrency:
+ group: ${{ github.repository }}-${{ github.head_ref || github.sha }}-${{ github.workflow }}
+ cancel-in-progress: true
+
+# trigger for all PRs that touch certain files and changes to master
+on:
+ push:
+ branches:
+ - master
Review Comment:
Yeah that's fair enough
I went and made some minor updates to descriptions in csv and json crate, hope that's fine
Looks like CI check indeed failed to startup, might have to include the steps to run cargo audit manually instead of relying on existing action from rustsec :thinking:
```
Error: .github#L1
rustsec/audit-check@v1.4.1 is not allowed to be used in apache/arrow-rs. Actions in this workflow must be:
within a repository owned by apache, created by GitHub, verified in the GitHub Marketplace, or matching the
following: */*@[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]+, AdoptOpenJDK/install-jdk@*,
JamesIves/github-pages-deploy-action@5dc1d5a192aeb5ab5b7d5a77b7d36aea4a7f5c92, TobKed/label-when-approved-action@*,
actions-cool/issues-helper@*, actions-rs/*, al-cheb/configure-pagefile-action@*, amannn/action-semantic-pull-request@*,
apache/*, burrunan/gradle-cache-action@*, bytedeco/javacpp-presets/.github/actions/*, chromaui/action@*,
codecov/codecov-action@*, conda-incubator/setup-miniconda@*, container-tools/kind-action@*,
container-tools/microshift-action@*, dawidd6/action-download-artifact@*, delaguardo/setup-graalvm@*,
docker://jekyll/jekyll:*, docker://pandoc/core:2.9, eps1lon/actions-label-merge-conflict@*, gaurav-nelson/github-action-markdown-link-check@*,
gol...
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [PR] ci: Add cargo audit CI action [arrow-rs]
Posted by "Jefffrey (via GitHub)" <gi...@apache.org>.
Jefffrey commented on PR #5160:
URL: https://github.com/apache/arrow-rs/pull/5160#issuecomment-1842662135
Example of a clean run:
```
Run cargo audit
Updating crates.io index
Fetching advisory database from `[https://github.com/RustSec/advisory-db.git`](https://github.com/RustSec/advisory-db.git%60)
Loaded 580 security advisories (from /home/runner/.cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (327 crate dependencies)
```
- https://github.com/apache/arrow-rs/actions/runs/7113723615/job/19366270881?pr=5160
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [PR] ci: Add cargo audit CI action [arrow-rs]
Posted by "tustvold (via GitHub)" <gi...@apache.org>.
tustvold commented on code in PR #5160:
URL: https://github.com/apache/arrow-rs/pull/5160#discussion_r1415397896
##########
.github/workflows/audit.yml:
##########
@@ -0,0 +1,44 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+name: audit
+
+concurrency:
+ group: ${{ github.repository }}-${{ github.head_ref || github.sha }}-${{ github.workflow }}
+ cancel-in-progress: true
+
+# trigger for all PRs that touch certain files and changes to master
+on:
+ push:
+ branches:
+ - master
Review Comment:
Why not run this for pull requests?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [PR] ci: Add cargo audit CI action [arrow-rs]
Posted by "alamb (via GitHub)" <gi...@apache.org>.
alamb commented on PR #5160:
URL: https://github.com/apache/arrow-rs/pull/5160#issuecomment-1843657678
I think this wins the prize for lowest ticket number closed in a long time 🏆
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [PR] ci: Add cargo audit CI action [arrow-rs]
Posted by "Jefffrey (via GitHub)" <gi...@apache.org>.
Jefffrey commented on code in PR #5160:
URL: https://github.com/apache/arrow-rs/pull/5160#discussion_r1415452957
##########
.github/workflows/audit.yml:
##########
@@ -0,0 +1,44 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+name: audit
+
+concurrency:
+ group: ${{ github.repository }}-${{ github.head_ref || github.sha }}-${{ github.workflow }}
+ cancel-in-progress: true
+
+# trigger for all PRs that touch certain files and changes to master
+on:
+ push:
+ branches:
+ - master
Review Comment:
You mean to always run on PRs regardless of if they modified Cargo.toml files? My line of thinking was that only PRs that affect the dependencies should have this check run, to prevent an unrelated PR potentially being blocked.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [PR] ci: Add cargo audit CI action [arrow-rs]
Posted by "Jefffrey (via GitHub)" <gi...@apache.org>.
Jefffrey commented on PR #5160:
URL: https://github.com/apache/arrow-rs/pull/5160#issuecomment-1842659906
Example run with a dependency with CVE:
Run audit check step:
```
Run cargo audit
Updating crates.io index
Fetching advisory database from `[https://github.com/RustSec/advisory-db.git`](https://github.com/RustSec/advisory-db.git%60)
Loaded 580 security advisories (from /home/runner/.cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (353 crate dependencies)
error: 1 vulnerability found!
Crate: cocoon
Version: 0.3.3
Title: Sequential calls of encryption API (`encrypt`, `wrap`, and `dump`) result in nonce reuse
Date: 2023-10-15
ID: RUSTSEC-2023-0068
URL: https://rustsec.org/advisories/RUSTSEC-2023-0068
Severity: 4.5 (medium)
Solution: Upgrade to >=0.4.0
Dependency tree:
cocoon 0.3.3
└── arrow-csv 49.0.0
├── parquet 49.0.0
│ ├── parquet_derive_test 49.0.0
│ └── parquet_derive 49.0.0
│ └── parquet_derive_test 49.0.0
└── arrow 49.0.0
├── parquet 49.0.0
├── arrow-integration-testing 49.0.0
└── arrow-integration-test 49.0.0
└── arrow-integration-testing 49.0.0
Error: Process completed with exit code 1.
```
Subsequently fails.
- https://github.com/apache/arrow-rs/actions/runs/7113685561/job/19366158937?pr=5160
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [PR] ci: Add cargo audit CI action [arrow-rs]
Posted by "tustvold (via GitHub)" <gi...@apache.org>.
tustvold commented on code in PR #5160:
URL: https://github.com/apache/arrow-rs/pull/5160#discussion_r1415499203
##########
.github/workflows/audit.yml:
##########
@@ -0,0 +1,44 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+name: audit
+
+concurrency:
+ group: ${{ github.repository }}-${{ github.head_ref || github.sha }}-${{ github.workflow }}
+ cancel-in-progress: true
+
+# trigger for all PRs that touch certain files and changes to master
+on:
+ push:
+ branches:
+ - master
Review Comment:
Aah I see, perhaps we could also run on PRs that modify the CI configuration for this check. I mainly want to see this check running on this PR before I merge it :sweat_smile:
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [PR] ci: Add cargo audit CI action [arrow-rs]
Posted by "tustvold (via GitHub)" <gi...@apache.org>.
tustvold merged PR #5160:
URL: https://github.com/apache/arrow-rs/pull/5160
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org