Add basic shell expansion for dp-path (#613)

`~` has been supported for a while, but this PR expands support to include bash-style environment variable expansion (to a limited degree). Resolves: #612
EmbarkStudios · Feb 23, 2024 · 8b842b4 · 8b842b4
1 parent c5721db
commit 8b842b4
Show file tree

Hide file tree

Showing 12 changed files with 480 additions and 125 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -50,7 +50,6 @@ jobs:
 
   self:
     name: Check Users
-    if: false # disabled for now
     strategy:
       matrix:
         include:
@@ -80,8 +79,8 @@ jobs:
         run: cargo install --path . --debug --target ${{ matrix.target }}
       - name: self check
         run: cargo deny -L debug --all-features --locked check
-      - name: check external users
-        run: ./scripts/check_external.sh
+      # - name: check external users
+      #   run: ./scripts/check_external.sh
 
   # Build `mdBook` documentation and upload it as a temporary build artifact
   doc-book:
@@ -211,3 +210,10 @@ jobs:
           GITHUB_DEPLOY_KEY: ${{ secrets.GITHUB_DEPLOY_KEY }}
           BUILD_REPOSITORY_ID: ${{ github.repository }}
           BUILD_SOURCEVERSION: ${{ github.sha }}
+
+
+  test_success:
+    runs-on: ubuntu-22.04
+    needs: [lint,test,self,publish-check,doc-book]
+    steps:
+    - run: echo "All test jobs passed"
diff --git a/deny.template.toml b/deny.template.toml
@@ -63,18 +63,10 @@ feature-depth = 1
 # More documentation for the advisories section can be found here:
 # https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
 [advisories]
-# The path where the advisory database is cloned/fetched into
-db-path = "~/.cargo/advisory-db"
+# The path where the advisory databases are cloned/fetched into
+#db-path = "$CARGO_HOME/advisory-dbs"
 # The url(s) of the advisory databases to use
-db-urls = ["https://github.com/rustsec/advisory-db"]
-# The lint level for security vulnerabilities
-vulnerability = "deny"
-# The lint level for unmaintained crates
-unmaintained = "warn"
-# The lint level for crates that have been yanked from their source registry
-yanked = "warn"
-# The lint level for crates with security notices.
-notice = "warn"
+#db-urls = ["https://github.com/rustsec/advisory-db"]
 # A list of advisory IDs to ignore. Note that ignored advisories will still
 # output a note when they are encountered.
 ignore = [
@@ -93,8 +85,6 @@ ignore = [
 # More documentation for the licenses section can be found here:
 # https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html
 [licenses]
-# The lint level for crates which do not have a detectable license
-unlicensed = "deny"
 # List of explicitly allowed licenses
 # See https://spdx.org/licenses/ for list of possible licenses
 # [possible values: any SPDX 3.11 short identifier (+ optional exception)].
@@ -103,22 +93,6 @@ allow = [
     #"Apache-2.0",
     #"Apache-2.0 WITH LLVM-exception",
 ]
-# Lint level for licenses considered copyleft
-copyleft = "warn"
-# Blanket approval or denial for OSI-approved or FSF Free/Libre licenses
-# * both - The license will be approved if it is both OSI-approved *AND* FSF
-# * either - The license will be approved if it is either OSI-approved *OR* FSF
-# * osi - The license will be approved if it is OSI approved
-# * fsf - The license will be approved if it is FSF Free
-# * osi-only - The license will be approved if it is OSI-approved *AND NOT* FSF
-# * fsf-only - The license will be approved if it is FSF *AND NOT* OSI-approved
-# * neither - This predicate is ignored and the default lint level is used
-allow-osi-fsf-free = "neither"
-# Lint level used when no other predicates are matched
-# 1. License isn't in the allow or deny lists
-# 2. License isn't copyleft
-# 3. License isn't OSI/FSF, or allow-osi-fsf-free = "neither"
-default = "deny"
 # The confidence threshold for detecting a license from license text.
 # The higher the value, the more closely the license text must be to the
 # canonical license text of a valid SPDX license file.

diff --git a/docs/src/checks/advisories/cfg.md b/docs/src/checks/advisories/cfg.md
@@ -16,51 +16,61 @@ Default: [RustSec Advisory DB](https://github.com/RustSec/advisory-db)
 
 ### The `db-path` field (optional)
 
-Path to the root directory into which one or more advisory databases are cloned into
+Path to the root directory into which one or more advisory databases are cloned into.
 
-Default: `~/.cargo/advisory-db`
+This value supports basic shell expansion:
+
+- `~` - Expands to [`home::home_dir`](https://docs.rs/home/latest/home/fn.home_dir.html)
+- `$VARNAME` - Expands to [`std::env::var("VARNAME")`](https://doc.rust-lang.org/std/env/fn.var.html)
+- `${VARNAME}` - Expands to [`std::env::var("VARNAME")`](https://doc.rust-lang.org/std/env/fn.var.html)
+- `${VARNAME:-fallback}` - Expands to [`std::env::var("VARNAME")`](https://doc.rust-lang.org/std/env/fn.var.html) or the fallback value if it doesn't exist (everything between the `:-` and `}`)
+- `$CARGO_HOME` - Expands to [`std::env::var("CARGO_HOME")`](https://doc.rust-lang.org/std/env/fn.var.html) if it exists, otherwise expands to `$(home::home_dir())/.cargo`
+
+Note that the path must be valid utf-8, after expansion.
+
+Default: `$CARGO_HOME/advisory-dbs`
 
 ### The `vulnerability` field (optional)
 
 Determines what happens when a crate with a security vulnerability is encountered.
 
-* `deny` (default) - Will emit an error with details about each vulnerability, and fail the check.
-* `warn` - Prints a warning for each vulnerability, but does not fail the check.
-* `allow` - Prints a note about the security vulnerability, but does not fail the check.
+- `deny` (default) - Will emit an error with details about each vulnerability, and fail the check.
+- `warn` - Prints a warning for each vulnerability, but does not fail the check.
+- `allow` - Prints a note about the security vulnerability, but does not fail the check.
 
 ### The `unmaintained` field (optional)
 
 Determines what happens when a crate with an `unmaintained` advisory is encountered.
 
-* `deny` - Will emit an error with details about the unmaintained advisory, and fail the check.
-* `warn` (default) - Prints a warning for each unmaintained advisory, but does not fail the check.
-* `allow` - Prints a note about the unmaintained advisory, but does not fail the check.
+- `deny` - Will emit an error with details about the unmaintained advisory, and fail the check.
+- `warn` (default) - Prints a warning for each unmaintained advisory, but does not fail the check.
+- `allow` - Prints a note about the unmaintained advisory, but does not fail the check.
 
 ### The `unsound` field (optional)
 
 Determines what happens when a crate with an `unsound` advisory is encountered.
 
-* `deny` - Will emit an error with details about the unsound advisory, and fail the check.
-* `warn` (default) - Prints a warning for each unsound advisory, but does not fail the check.
-* `allow` - Prints a note about the unsound advisory, but does not fail the check.
+- `deny` - Will emit an error with details about the unsound advisory, and fail the check.
+- `warn` (default) - Prints a warning for each unsound advisory, but does not fail the check.
+- `allow` - Prints a note about the unsound advisory, but does not fail the check.
 
 ### The `yanked` field (optional)
 
 Determines what happens when a crate with a version that has been yanked from its source registry is encountered.
 
-* `deny` - Will emit an error with the crate name and version that was yanked, and fail the check.
-* `warn` (default) - Prints a warning with the crate name and version that was yanked, but does not fail the check.
-* `allow` - Prints a note about the yanked crate, but does not fail the check.
+- `deny` - Will emit an error with the crate name and version that was yanked, and fail the check.
+- `warn` (default) - Prints a warning with the crate name and version that was yanked, but does not fail the check.
+- `allow` - Prints a note about the yanked crate, but does not fail the check.
 
 ### The `notice` field (optional)
 
 Determines what happens when a crate with a `notice` advisory is encountered.
 
 **NOTE**: As of 2019-12-17 there are no `notice` advisories in the [RustSec Advisory DB](https://github.com/RustSec/advisory-db)
 
-* `deny` - Will emit an error with details about the notice advisory, and fail the check.
-* `warn` (default) - Prints a warning for each notice advisory, but does not fail the check.
-* `allow` - Prints a note about the notice advisory, but does not fail the check.
+- `deny` - Will emit an error with details about the notice advisory, and fail the check.
+- `warn` (default) - Prints a warning for each notice advisory, but does not fail the check.
+- `allow` - Prints a note about the notice advisory, but does not fail the check.
 
 ### The `ignore` field (optional)
 
@@ -81,18 +91,18 @@ In addition, yanked crate versions can be ignored by specifying a [PackageSpec](
 
 The threshold for security vulnerabilities to be turned into notes instead of warnings or errors, depending upon its [CVSS](https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System) score. So having a high threshold means some vulnerabilities might not fail the check, but having a log level `>= info` will mean that a note will be printed instead of a warning or error, depending on `[advisories.vulnerability]`.
 
-* `None` (default) - CVSS Score 0.0
-* `Low` - CVSS Score 0.1 - 3.9
-* `Medium` - CVSS Score 4.0 - 6.9
-* `High` - CVSS Score 7.0 - 8.9
-* `Critical` - CVSS Score 9.0 - 10.0
+- `None` (default) - CVSS Score 0.0
+- `Low` - CVSS Score 0.1 - 3.9
+- `Medium` - CVSS Score 4.0 - 6.9
+- `High` - CVSS Score 7.0 - 8.9
+- `Critical` - CVSS Score 9.0 - 10.0
 
 ### The `git-fetch-with-cli` field (optional)
 
 Similar to cargo's [net.git-fetch-with-cli](https://doc.rust-lang.org/cargo/reference/config.html#netgit-fetch-with-cli), this field allows you to opt-in to fetching advisory databases with the git CLI rather than using `gix`.
 
-* `false` (default) - Fetches advisory databases via `gix`
-* `true` - Fetches advisory databases using `git`. Git must be installed and in `PATH`.
+- `false` (default) - Fetches advisory databases via `gix`
+- `true` - Fetches advisory databases using `git`. Git must be installed and in `PATH`.
 
 ### The `maximum-db-staleness` field (optional)
 
@@ -122,5 +132,5 @@ Note that while the spec supports `,` as a decimal separator, for simplicity car
 
 One final note, there are 2 units available in the format that are not exact, namely, year 'Y' and month 'M'. It's not recommended to use either of them for that reason, but if you do they are calculated as follows.
 
-* 1 year = 365 days
-* 1 month = 30.43 days
+- 1 year = 365 days
+- 1 month = 30.43 days