rustsec 0.31.0

Client library for the RustSec security advisory database
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

//! Automatically attempt to fix vulnerable dependencies
//!
//! This module is **experimental**, and its behavior may change in the future.

use crate::vulnerability::Vulnerability;
use cargo_lock::{Lockfile, Package};
use std::path::{Path, PathBuf};
use std::process::Command;

/// Auto-fixer for vulnerable dependencies
#[cfg_attr(docsrs, doc(cfg(feature = "fix")))]
pub struct Fixer {
    lockfile: Lockfile,
    manifest_path: Option<PathBuf>,
    path_to_cargo: Option<PathBuf>,
}

impl Fixer {
    /// Create a new [`Fixer`] for the given `Cargo.lock` file
    ///
    /// `path_to_cargo` defaults to `cargo`, resolved in your `$PATH`.
    ///
    /// If the path to `Cargo.toml` is not specified, the `cargo update` command
    /// will be run in the directory with the `Cargo.lock` file.
    /// Leaving it blank will fix the entire workspace.
    pub fn new(
        cargo_lock: Lockfile,
        cargo_toml: Option<PathBuf>,
        path_to_cargo: Option<PathBuf>,
    ) -> Self {
        Self {
            lockfile: cargo_lock,
            manifest_path: cargo_toml,
            path_to_cargo,
        }
    }

    /// Returns a command that calls `cargo update` with the right arguments
    /// to attempt to fix this vulnerability.
    ///
    /// Note that the success of the command does not mean
    /// the vulnerability was actually fixed!
    /// It may remain if no semver-compatible fix was available.
    pub fn get_fix_command(&self, vulnerability: &Vulnerability, dry_run: bool) -> Command {
        let cargo_path: &Path = self.path_to_cargo.as_deref().unwrap_or(Path::new("cargo"));
        let pkg_name = &vulnerability.package.name;
        let mut command = Command::new(cargo_path);
        command.arg("update");
        if let Some(path) = self.manifest_path.as_ref() {
            command.arg("--manifest-path").arg(path);
        }
        if dry_run {
            command.arg("--dry-run");
        }
        // there can be more than one version of a given package in the lockfile, so we need to iterate over all of them
        for pkg in self.lockfile.packages.iter().filter(|pkg| {
            &pkg.name == pkg_name && vulnerability.versions.is_vulnerable(&pkg.version)
        }) {
            let pkgid = pkgid(pkg);
            command.arg(&pkgid);
        }

        command
    }
}

/// Returns a Cargo unique identifier for a package.
/// See `cargo help pkgid` for more info.
///
/// We need to pass these to `cargo update` because otherwise
/// the package specification will be ambiguous, and it will refuse to do anything.
fn pkgid(pkg: &Package) -> String {
    match pkg.source.as_ref() {
        Some(source) => format!("{}#{}@{}", source, pkg.name, pkg.version),
        None => format!("{}@{}", pkg.name, pkg.version),
    }
}