Bug: Check for advisories doesn't seem to work on 0.14.19
mihaelTBTL opened this issue · comments
Describe the bug
After having installed the latest version of cargo-deny
(0.14.19
) and running cargo deny check advisories
in a Rust workspace, I'm met with the following error:
[ERROR] failed to fetch advisory database https://github.com/rustsec/advisory-db: An IO error occurred when talking to the server: error sending request for url (https://github.com/rustsec/advisory-db/info/refs?service=git-upload-pack): client error (Connect)
I'm not sure what the problem is since I can download the file with curl
:
curl https://github.com/rustsec/advisory-db/info/refs?service=git-upload-pack --output foo
The used db-urls
in deny.toml
is the same as in the book.
I get the same issue when using the deny.toml
from this repository as well:
https://github.com/EmbarkStudios/cargo-deny/blob/main/deny.toml
I've encountered this problem while using both Ubuntu 22.04
(as OS) and inside a rust:1.76-slim
docker container.
To reproduce
- Install the latest version of
cargo-deny
:
cargo install --version 0.14.19 cargo-deny
- Position yourself inside a Rust project with a
deny.toml
. You can grab an example from here: https://github.com/EmbarkStudios/cargo-deny/blob/main/deny.toml - Run:
cargo deny check advisories
cargo-deny version
cargo-deny 0.14.19
What OS were you running cargo-deny on?
Linux
Additional context
No response
Can you confirm that older versions still work? I'm unable to repro this so feels like a client side issue (behind proxy or something?).
0.14.14 working ok for me. A colleague running 0.14.19 is seeing this same issue
..after upgrading it fails for me as well. I'm not behind any vpn or proxy:
2024-03-22 15:15:13 [INFO] gathered 346 crates in 449ms
2024-03-22 15:15:13 [ERROR] failed to fetch advisory database https://github.com/rustsec/advisory-db: failed to prepare fetch: An IO error occurred when talking to the server: error sending request for url (https://github.com/rustsec/advisory-db/info/refs?service=git-upload-pack)
using 0.14.19 shows that issue. Compiling from current head 621ff39 seems to work just fine 🤷
That does not make sense, there was no change between them that would affect this.
It is a little bit weird guys: on my laptop running archlinux it works perfectly; instead when I try to build with the official rust docker image 1.7.0-slim-bookworm I got the issue.
Version 0.14.18 works on 1.7.0-slim-bookworm.
I know it still sounds weird(er), but if I install version 0.14.19:
cargo install cargo-deny --version 0.14.19 --force
and do a cargo deny check
, I see the same error every single time.
If I build from source on commit c16388b
(tag: 0.14.19) then it works fine for me both building in release and non-release modes.
I could reproduce the issue (both with cargo deny and cargo audit), I 'm investigating.
I can repro this, I believe I know what is happening.
The issue is that gix-transport 0.41.3, or one of the updated dependencies it uses, has a bug. Again, the recommended way to install cargo-deny, as stated in the README, is to use --locked
when running cargo install
, as otherwise bugs or semver breakages which are not tested in CI can occur.
Thank you, @Jake-Shadle for the quick response and fix, I've followed through and it was quite the rabbit hole. I can confirm cargo-deny 0.14.20
works, though I think I will move to installing cargo-deny
with --lock
into the image.
- clear the
allow
scope in deny.toml - run
cargo deny check
, it will fail. - fill licenses in the
allow
scope again. - it works.
It works for me