Theo Buehler <t...@theobuehler.org> writes:
> On Fri, Sep 10, 2021 at 06:54:10AM +0200, Sebastien Marie wrote: >> On Thu, Sep 09, 2021 at 01:19:21PM -0600, Aaron Bieber wrote: >> > Hi, >> > >> > Here is a port of cargo-audit: >> > https://github.com/RustSec/rustsec/tree/main/cargo-audit >> > >> > This isn't the latest version because that fails to build: >> > https://github.com/rustsec/rustsec/issues/429 >> > >> > Unfortunately the program doesn't run unless you specify the full >> > path. I tried creating a patch to fix it, but I can't make heads or >> > tails of the code. >> > >> > Thanks to tb@ and semarie@ for pointers on the Makefile! >> > >> > Here is a git mirror as well: >> > https://github.com/jasperla/openbsd-wip/tree/master/devel/cargo-audit >> > >> > OK? Cluesticks? >> >> Just few nits: crates.inc doesn't have $OpenBSD$ marker, and contains >> no licence information (see make modcargo-gen-crates-licenses). >> >> Regarding full path, you could look at env:current_exe() calls in the >> source code. But what is the full path required ? >> ${LOCALBASE}/bin/cargo-audit ? >> >> I also wonder if it is possible to redefine argv[0] (or more exactly >> the rust equiv) at beginning of the program to properly set it (the >> binary will be always at the same place if installed from ports). > > Here's a version of this port that. > > - addresses the crates.inc nits from semarie (RCS marker + licenses) > - fixes WANTLIB/LIB_DEPENDS > - adds a patch that builds the current_exe() path from the basename of > argv[0] appended to ${LOCALBASE}/bin > - uses the main branch instead of master for advisory-db > > This seems to work for me in some light testing. For example, when it > is run on an old newsboat repo with a known problem in SmallVec: Seems to be working for me as well! Thanks! I owe you all the beer :D > > $ cargo audit > Fetching advisory database from > `https://github.com/RustSec/advisory-db.git` > Loaded 352 security advisories (from /home/theo/.cargo/advisory-db) > Updating crates.io index > Scanning Cargo.lock for vulnerabilities (101 crate dependencies) > Crate: smallvec > Version: 0.6.10 > Title: Buffer overflow in SmallVec::insert_many > Date: 2021-01-08 > ID: RUSTSEC-2021-0003 > URL: https://rustsec.org/advisories/RUSTSEC-2021-0003 > Solution: Upgrade to >=0.6.14, <1.0.0 OR >=1.6.1 > Dependency tree: > smallvec 0.6.10 > ├── unicode-normalization 0.1.8 > │ └── idna 0.2.0 > │ └── url 2.1.1 > │ └── libnewsboat 2.20.0 > │ └── libnewsboat-ffi 2.20.0 > └── libnewsboat 2.20.0 > > error: 1 vulnerability found! > > [2. application/x-tar-gz; cargo-audit.tgz]...
