Prep release (#444)

* Update CHANGELOG

* Update crates

Author: Jake-Shadle

CHANGELOG.md

@@ -8,6 +8,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- next-header -->
 ## [Unreleased] - ReleaseDate
+### Added
+- [PR#431](https://github.com/EmbarkStudios/cargo-deny/pull/432) resolved [#19](https://github.com/EmbarkStudios/cargo-deny/issues/19) by adding support for an allow list for build scripts, allowing a project to opt in (or deny completely) build scripts on a case by case basis rather than blanket allowing all build scripts. See the [`bans.allow-build-scripts`](https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html#the-allow-build-scripts-field-optional) config option for more details. Thanks [@Stupremee](https://github.com/Stupremee)!
+
+### Fixed
+- [PR#430](https://github.com/EmbarkStudios/cargo-deny/pull/430) fixed an issue where local/git crates could be flagged as "yanked" if they shared a name and version with a crates.io crate that was yanked from the registry, resolving [#441](https://github.com/EmbarkStudios/cargo-deny/issues/441) before it was even opened. Thanks [@khuey](https://github.com/khuey)!
+- [PR#440](https://github.com/EmbarkStudios/cargo-deny/pull/440) fixed [#438](https://github.com/EmbarkStudios/cargo-deny/issues/438) by ensuring git cli output was piped properly rather than polluting the output of cargo-deny itself.
+- [PR#443](https://github.com/EmbarkStudios/cargo-deny/pull/443) fixed [#442](https://github.com/EmbarkStudios/cargo-deny/issues/442) by removing the signature check on the HEAD commit an advisory databases. This check didn't add meaningful security and could cause spurious failures if an unsigned commit was pushed to an advisory database.
+
+### Changed
+- [PR#431](https://github.com/EmbarkStudios/cargo-deny/pull/431) updated clap to 3.2. Thanks [@epage](https://github.com/epage)!
+
 ## [0.12.1] - 2022-05-19
 ### Fixed
 - [PR#426](https://github.com/EmbarkStudios/cargo-deny/pull/426) fixed an oversight in [PR#422](https://github.com/EmbarkStudios/cargo-deny/pull/422), fully resolving [#412](https://github.com/EmbarkStudios/cargo-deny/issues/412) by allowing both `https` and `ssh` URLs for advisory databases. Thanks [@jbg](https://github.com/jbg)!

Cargo.lock

@@ -28,7 +28,11 @@ path = "src/cargo-deny/main.rs"
 default = ["vendored-openssl"]
 # Allows the use of a vendored version openssl when compiling libgit, which allows
 # us to compile static executables (eg musl) and avoid system dependencies
-vendored-openssl = ["cargo?/vendored-openssl", "crates-index/vendored-openssl", "git2/vendored-openssl"]
+vendored-openssl = [
+  "cargo?/vendored-openssl",
+  "crates-index/vendored-openssl",
+  "git2/vendored-openssl",
+]
 # Allows embedding cargo as a library so that we can run in minimal (eg container)
 # environments that don't need to have cargo/rust installed on them for cargo-deny
 # to still function
@@ -46,7 +50,7 @@ atty = "0.2"
 # Used to track various things during check runs
 bitvec = { version = "1.0", features = ["alloc"] }
 # Allows us to do eg cargo metadata operations without relying on an external cargo
-cargo = { version = "0.61", optional = true }
+cargo = { version = "0.63", optional = true }
 # Argument parsing
 clap = { version = "3.2.1", features = ["derive", "env"] }
 # Used for diagnostic reporting
@@ -65,20 +69,20 @@ git2 = "0.14"
 # We need to figure out HOME/CARGO_HOME in some cases
 home = "0.5"
 # Provides graphs on top of cargo_metadata
-krates = { version = "0.10", features = ["targets"] }
+krates = { version = "0.11", features = ["targets"] }
 # Log macros
 log = "0.4"
 # Moar brrrr
 rayon = "1.4"
 # Used for interacting with advisory databases
-rustsec = { version = "0.25", default-features = false }
+rustsec = { version = "0.26", default-features = false }
 # Parsing and checking of versions/version requirements
 semver = "1.0"
 # Gee what could it be
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 # Avoid some heap allocations when we likely won't need them
-smallvec = "1.6"
+smallvec = "1.9"
 # Used for parsing and checking SPDX license expressions
 spdx = "0.8"
 # Timestamp emission

Cargo.toml

@@ -1,7 +1,7 @@
 use crate::{Krate, Krates};
 use anyhow::{Context, Error};
 use log::{debug, info};
-pub use rustsec::{advisory::Id, lockfile::Lockfile, Database, Vulnerability};
+pub use rustsec::{advisory::Id, Database, Lockfile, Vulnerability};
 use std::path::{Path, PathBuf};
 use url::Url;
 
@@ -659,7 +659,7 @@ pub(crate) fn krate_for_pkg<'a>(
         .map(|(ind, krate)| (ind, &krate.krate))
 }
 
-pub use rustsec::warning::{Kind, Warning};
+pub use rustsec::{Warning, WarningKind};
 
 pub struct Report {
     pub vulnerabilities: Vec<Vulnerability>,
@@ -685,7 +685,6 @@ impl Report {
             // any here
             target_arch: None,
             target_os: None,
-            package_scope: None,
             // We handle the severity ourselves
             severity: None,
             // We handle the ignoring of particular advisory ids ourselves
@@ -728,9 +727,9 @@ impl Report {
                 }
 
                 match kind {
-                    Kind::Notice => notices.append(&mut wi),
-                    Kind::Unmaintained => unmaintained.append(&mut wi),
-                    Kind::Unsound => unsound.append(&mut wi),
+                    WarningKind::Notice => notices.append(&mut wi),
+                    WarningKind::Unmaintained => unmaintained.append(&mut wi),
+                    WarningKind::Unsound => unsound.append(&mut wi),
                     _ => unreachable!(),
                 }
             }
@@ -745,12 +744,16 @@ impl Report {
         }
     }
 
-    pub fn iter_warnings(&self) -> impl Iterator<Item = (Kind, &Warning)> {
+    pub fn iter_warnings(&self) -> impl Iterator<Item = (WarningKind, &Warning)> {
         self.notices
             .iter()
-            .map(|wi| (Kind::Notice, wi))
-            .chain(self.unmaintained.iter().map(|wi| (Kind::Unmaintained, wi)))
-            .chain(self.unsound.iter().map(|wi| (Kind::Unsound, wi)))
+            .map(|wi| (WarningKind::Notice, wi))
+            .chain(
+                self.unmaintained
+                    .iter()
+                    .map(|wi| (WarningKind::Unmaintained, wi)),
+            )
+            .chain(self.unsound.iter().map(|wi| (WarningKind::Unsound, wi)))
     }
 }
 

src/advisories/helpers.rs

@@ -94,7 +94,7 @@ pub mod sources;
 pub use cfg::{Spanned, UnvalidatedConfig};
 use krates::cm;
 pub use krates::{DepKind, Kid, Utf8PathBuf};
-pub use rustsec::package::source::SourceId;
+pub use rustsec::package::SourceId;
 
 /// The possible lint levels for the various lints. These function similarly
 /// to the standard [Rust lint levels](https://doc.rust-lang.org/rustc/lints/levels.html)

src/lib.rs

@@ -71,7 +71,7 @@ pub fn check(ctx: crate::CheckCtx<'_, ValidConfig>, mut sink: ErrorSink) {
         } else if source.is_git() {
             // Ensure the git source has at least the minimum specification
             if let Some((min, cfg_coord)) = &min_git_spec {
-                pub use rustsec::package::source::GitReference;
+                pub use rustsec::package::GitReference;
 
                 let spec = source
                     .git_reference()