Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: git dependencies flagged as wildcard dependencies when using allow-wildcard-paths = true if published to a private registry #646

Open
joaommartins opened this issue Apr 5, 2024 · 0 comments
Open

Bug: git dependencies flagged as wildcard dependencies when using allow-wildcard-paths = true if published to a private registry #646

joaommartins opened this issue Apr 5, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@joaommartins
Copy link

joaommartins commented Apr 5, 2024
edited

Describe the bug

The implementation of #599, fixing #488, correctly addresses the case where a dependency uses publish = false in its Cargo.toml.

Unfortunately, it does not address the case where the dependency is published to a private registry. #599 made use of the crate::Krate.is_private function, but it doesn't pass the declared private registries. These are declared in the licenses section of deny.toml:

[licenses.private]
# If true, ignores workspace crates that aren't published, or are only
# published to private registries.
# To see how to mark a crate as unpublished (to the official registry),
# visit https://doc.rust-lang.org/cargo/reference/manifest.html#the-publish-field.
ignore = false
# One or more private registries that you might publish crates to, if a crate
# is only published to private registries, and ignore is true, the crate will
# not have its license(s) checked
registries = [
    #"https://sekretz.com/registry
]

I can open a PR with a kludgy implementation that passes the crate::licenses::cfg::ValidConfig to crate::bans::check so one can extract the private registries before checking if the dependency is private:

...
if allow_wildcard_paths {
    let private_registries: Vec<_> = private_ctx
        .cfg
        .private
        .registries
        .iter()
        .map(|s| s.as_str())
        .collect();
    let is_private = krate.is_private(&private_registries);
...

However, this does not seem like the best approach as it mixes configuration contexts across different types of checks, and it seems to me like a more expansive change to the private registry declaration would be needed in order to more cleanly organise the code.

To reproduce

Dependency declared as publishing to a private repo:

[package]
name = "wildcards-test-allow-git-private-repo"
version = "0.1.0"
authors = []
edition = "2018"
license = "MIT"

publish = ["private-registry"]

# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

[dependencies]
# An arbitrary choice of actually existent Git repository
wildcards-test-allow-git = { package = "krates", git = "https://github.com/EmbarkStudios/krates", rev = "b03ecd6f3204a1b1ec04fbaead2d0d122a3a4494" }

.cargo/config.toml file:

[registries]
private-registry = { index = "https://private-registry.com/git/index.git" }

deny.toml file:

[licenses.private]
# So we don't have to declare a license on our own unpublished crates.
ignore = true
registries = ["private-registry"]

[bans]
wildcards = "deny"
allow-wildcard-paths = true

cargo-deny version

0.14.20

What OS were you running cargo-deny on?

Linux

Additional context

See https://github.com/joaommartins/cargo-deny/tree/fix-private-repo-dependency-wildcard for a wip implementation.
@joaommartins joaommartins added the bug Something isn't working label Apr 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@joaommartins