From 98900af70350127b058c4868263fe9343eb0556f Mon Sep 17 00:00:00 2001
From: Marco Neumann <marco@crepererum.net>
Date: Tue, 21 Sep 2021 11:01:30 +0200
Subject: [PATCH 1/2] ci: add cargo audit

For now we ignore warnings (e.g. "crate is yanked" or "crate is
unmaintained") because:

- internal crates w/ names of crates.io crates (e.g. `query`) are
  treated like crates.io-crates even though they shouldn't, see
  https://github.com/rustsec/rustsec/issues/232
- many crates are currently unmaintained and require a bit of upstream
  work (e.g. `chrono` is currently not very active but uses an old
  version of `time` which uses the unmaintained `stdweb`)

Closes #2575.
---
 .circleci/config.yml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 4f6cd23394..4c88bb10d6 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -89,6 +89,26 @@ jobs:
           name: Clippy
           command: cargo clippy --all-targets --workspace -- -D warnings
       - cache_save
+  cargo_audit:
+    docker:
+      - image: quay.io/influxdb/rust:ci
+    environment:
+      # Disable incremental compilation to avoid overhead. We are not preserving these files anyway.
+      CARGO_INCREMENTAL: "0"
+      # Disable full debug symbol generation to speed up CI build
+      # "1" means line tables only, which is useful for panic tracebacks.
+      RUSTFLAGS: "-C debuginfo=1"
+    steps:
+      - checkout
+      - rust_components
+      - cache_restore
+      - run:
+          name: Install Cargo Audit
+          command: cargo install --force cargo-audit
+      - run:
+          name: Cargo Audit
+          command: cargo audit
+      - cache_save
   doc:
     docker:
       - image: quay.io/influxdb/rust:ci
@@ -383,6 +403,7 @@ workflows:
     jobs:
       - fmt
       - lint
+      - cargo_audit
       - protobuf-lint
       - test
       - test_heappy
@@ -406,6 +427,10 @@ workflows:
           filters:
             branches:
               only: main
+      - cargo_audit:
+          filters:
+            branches:
+              only: main
       - test:
           filters:
             branches:
@@ -421,6 +446,7 @@ workflows:
           requires: # Only do a release build if all tests have passed
             - fmt
             - lint
+            - cargo_audit
             - test
             - build
 

From a80f6dfc3e4db7f9f63a14ea98c42fe8969981a3 Mon Sep 17 00:00:00 2001
From: Marco Neumann <marco@crepererum.net>
Date: Tue, 21 Sep 2021 15:43:12 +0200
Subject: [PATCH 2/2] ci: deny cargo audit warnings

---
 .cargo/audit.toml | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 .cargo/audit.toml

diff --git a/.cargo/audit.toml b/.cargo/audit.toml
new file mode 100644
index 0000000000..fe66912f31
--- /dev/null
+++ b/.cargo/audit.toml
@@ -0,0 +1,33 @@
+[advisories]
+ignore = [
+    # title: term is looking for a new maintainer
+    # why needed: used by `prettytable-rs` which is directly used by IOx but also by arrow
+    # upstream issue: https://github.com/phsym/prettytable-rs/issues/119
+    "RUSTSEC-2018-0015",
+
+    # title: memmap is unmaintained
+    # why needed: used by `symbolic` which is used by `pprof`
+    # upstream issue: https://github.com/getsentry/symbolic/issues/304
+    "RUSTSEC-2020-0077",
+
+    # title: difference is unmaintained
+    # why needed: used by `mockito`
+    # upstream issue: https://github.com/lipanski/mockito/issues/132
+    "RUSTSEC-2020-0095",
+]
+
+[output]
+deny = [
+    "unmaintained",
+    "unsound",
+    "yanked",
+]
+quiet = false
+
+[yanked]
+# interaction of workspace-local crates and crates.io is currently broken (e.g. for `query`)
+# see https://github.com/rustsec/rustsec/issues/232
+enabled = false
+
+# currently broken on CircleCI due to https://github.com/rustsec/rustsec/issues/292
+update_index = false