Skip to content

security_audit CI check is failing on main #15571

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
alamb opened this issue Apr 3, 2025 · 8 comments · Fixed by #15626
Closed

security_audit CI check is failing on main #15571

alamb opened this issue Apr 3, 2025 · 8 comments · Fixed by #15626
Assignees
@Jiashu-Hu
Labels
bug Something isn't working

Comments

@alamb
Copy link
Contributor

alamb commented Apr 3, 2025

Describe the bug

We are seeing a cargo audit failure on @zebsme 's PR: #15454

Crate:     proc-macro-error
Version:   1.0.4
Warning:   unmaintained
Title:     proc-macro-error is unmaintained
Date:      2024-09-01
ID:        RUSTSEC-2024-0370
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0370
Dependency tree:
proc-macro-error 1.0.4
└── structopt-derive 0.4.18
    └── structopt 0.3.26
        └── datafusion-benchmarks 46.0.1

error: 1 vulnerability found!
warning: 3 allowed warnings found

The error is actually happening on main as well, but the CI job is only setup to run when Cargo.toml/Cargo.lock changes:

datafusion/.github/workflows/audit.yml

Lines 25 to 33 in ac919d5

push:
paths:
- "**/Cargo.toml"
- "**/Cargo.lock"
pull_request:
paths:
- "**/Cargo.toml"
- "**/Cargo.lock"

The job can start failing when a new entry is added to the database, in addition to when the crates used by datafusion are changed

To Reproduce

# in datafusion directory
cargo audit

Expected behavior

No response

Additional context

No response
@alamb alamb added the bug Something isn't working label Apr 3, 2025
This was referenced Apr 3, 2025
Merged
Merged
@Jiashu-Hu
Copy link
Contributor

take

@Jiashu-Hu
Copy link
Contributor

Jiashu-Hu commented Apr 3, 2025
edited
Loading

For now, it might be best to just allow this warning. Since everything is working fine as it is. Alternatively we could try to use 'proc-macro-error2' instead, but that might cause new problems because it's not exactly the same as the old one.

If you agree with this, I'll submit a PR to add this warning to the allowlist for now.

Found a PR from another community that someone trying to replace it with 'proc-macro-error2': yewstack/yew#3752

@jayzhan211
Copy link
Contributor

jayzhan211 commented Apr 4, 2025
edited
Loading

Can we try proc-macro-error2? Unmaintained crate isn't the prefer one to rely on. If it is not trivial or causing too much breaking change, then we can consider adding a warning instead

@xudong963 xudong963 mentioned this issue Apr 4, 2025
Closed
@alamb
Copy link
Contributor Author

alamb commented Apr 4, 2025
edited
Loading

Another approach would be to remove the use of structopt in datafusion benchmarks (and update them to use clap directly...)

While more work this would likely be an easier to maintain long term solution

https://crates.io/crates/structopt

The docs page basically says it is in maintenance mode; https://docs.rs/structopt/0.3.26/structopt/#maintenance

As clap v3 is now out, and the structopt features are integrated into (almost as-is), structopt is now in maintenance mode: no new feature will be added.

@alamb alamb mentioned this issue Apr 4, 2025
Merged
@Jiashu-Hu
Copy link
Contributor

Jiashu-Hu commented Apr 4, 2025
edited
Loading

Another approach would be to remove the use of structopt in datafusion benchmarks (and update them to use clap directly...)

While more work this would likely be an easier to maintain long term solution

https://crates.io/crates/structopt

The docs page basically says it is in maintenance mode; https://docs.rs/structopt/0.3.26/structopt/#maintenance

As clap v3 is now out, and the structopt features are integrated into (almost as-is), structopt is now in maintenance mode: no new feature will be added.

Using proc-macro-error2 could introduce new issues that are tough to resolve, based on the PR I mentioned earlier. Since we got from their experience, I think we may try replace structopt with clap, I will start working on that

@alamb alamb changed the title cargo audit is failing on main security_audit CI check is failing on main Apr 7, 2025
@alamb
Copy link
Contributor Author

alamb commented Apr 7, 2025

I agree that removing structopt is the best approach

To fix the CI check, perhaps we can temporarily ignore that warning as it relates to a tool that is not published as part of DataFusion

@alamb alamb mentioned this issue Apr 7, 2025
Merged
@Jiashu-Hu
Copy link
Contributor

Great, I will go ahead submit a PR to ignore it first

@Jiashu-Hu Jiashu-Hu mentioned this issue Apr 7, 2025
Merged
@alamb
Copy link
Contributor Author

alamb commented Apr 7, 2025
edited
Loading

Thank you so much @Jiashu-Hu

@phillipleblanc phillipleblanc mentioned this issue Apr 8, 2025
Closed
@vijay939295 vijay939295 mentioned this issue Apr 8, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Jiashu-Hu Jiashu-Hu

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ignore security_audit CI check proc-macro-error warning Jiashu-Hu/datafusion
3 participants
@alamb @jayzhan211 @Jiashu-Hu