cargo-audit allow acknowledgement of a rustsec id to be ignored

Question

cargo-audit allow acknowledgement of a rustsec id to be ignored

Firstyear opened this issue a year ago · 2 comments

Sometimes there are issues that don't directly affect a project. we should allow specific of rustsec id's to ignore so that issues that don't affect a project can be bypassed.

And example was the git https vuln a few months back which affected kanidm. However kanidm wasn't actually vuln because it doesn't use the https features, it only parses local filesystem git repos. As a result, there needed to be a way to say 'this rustsec id is not actually a problem in this context". We want the option to express to people that they are taking ownership of this too, so it shouldn't simply be "ignore". Syntax could be something like:

--i-accept-the-risk or --vulnerability-has-been-audited-and-does-not-impact-this-application

Answer 1 · 2023-10-10T01:32:12.000Z

oh like

<service name="cargo_audit" mode="manual">
  <param name="ignore">RUSTSEC-UWUID123</param>
</service>

and when they run cargo audit, they need to complete the "accept prompt" prompt?

or do you want it to be

<service name="cargo_audit" mode="manual">
  <param name="rustsec-id-does-not-impact-this-application">RUSTSEC-UWUID123</param>
</service>

Answer 2 · 2023-10-10T03:09:15.000Z

Remember we plan to merge audit and vendor, so lets do #44 first.

Then it should be

<service name="cargo_vendor" mode="manual">
    <param name="i-accept-the-risk">RUSTSEC-UWU123</param>
</service>