Stream: wasmtime

Topic: cargo-deny: ignore until date?

view this post on Zulip Pat Hickey (May 11 2021 at 15:35):

@Benjamin Bouvier or other embark folks: it just occured to me it might be useful for cargo deny to support something like "ignore until the following date", see for example https://github.com/bytecodealliance/wasmtime/issues/2882

on or after June 6, 2021: review and un-ignore RUSTSEC-2021-0064 · Issue #2882 · bytecodealliance/wasmtime
See #2881

view this post on Zulip Pat Hickey (May 11 2021 at 15:36):

basically, a snooze button for non-urgent advisories

view this post on Zulip Benjamin Bouvier (May 11 2021 at 15:45):

Ah that's an interesting use case! So cargo-deny is run in automation, and that means that it will trigger on the first PR for which CI is running after this date. It might look like an unexpected CI issue, with an easy fix. Does that sound ok?

view this post on Zulip Chris Fallin (May 11 2021 at 15:46):

That's the experience today too, I think, since new advisories can appear at any time, right? I.e. any given CI run might show a new failure (but that's the point); I guess a "snooze" would just cause that to appear in a later CI run instead

view this post on Zulip Benjamin Bouvier (May 11 2021 at 15:50):

Ah, you're right. Maybe there's a scheme where the sec-advisories could be run as part of a separate github action, run periodically (cron-like; i think github supports this), while the deny restrictions would be limited to PRs (which are the only place where a new dependency can be added)

view this post on Zulip Benjamin Bouvier (May 11 2021 at 15:50):

... unless the sec-advisories comes with dependency checks, in which case my suggestion wouldn't work

view this post on Zulip Benjamin Bouvier (May 11 2021 at 15:51):

I'll open an issue in any case, thanks @Pat Hickey for the suggestion! (Can't guarantee it'll be implemented, but it's nice to keep track of it)

view this post on Zulip Chris Fallin (May 11 2021 at 15:51):

+1 to the cronjob-mode idea but I guess that's a separate feature-request :-)

view this post on Zulip Pat Hickey (May 11 2021 at 16:15):

thats a good point, if a security advisory comes in and we arent making PRs frequently enough, we may not discover it with automation for a while, so probably we should run it in a cron job anyway

view this post on Zulip Pat Hickey (May 11 2021 at 16:15):

just as an additional check on top of PRs

Last updated: Nov 22 2024 at 17:03 UTC