rustsec icon indicating copy to clipboard operation
rustsec copied to clipboard
verified publisher icon rustsec

Offline mode

Open janderholm opened this issue 5 years ago • 5 comments

Thanks for a great project!

It looks like cargo audit doesn't honor the offline flag and always try to fetch crates.io. On the other hand it continues running successfully after failing so I think it's an unnecessary operation?

$ CARGO_NET_OFFLINE=false cargo audit --no-fetch --db /path/to/rustsec-advisory-database

      Loaded 85 security advisories (from /path/to/rustsec-advisory-database)
    Updating crates.io index

warning: couldn't update crates.io index: registry: failed to connect to github.com: Network is unreachable; class=Os (2)

Scanning Cargo.lock for vulnerabilities (245 crate dependencies)

     Success No vulnerable packages found

This is only a minor nuisance for me in my environment where there's no internet connection. I think this is a common situation in many CI systems where all sources are vendored and build offline. But things still work so other than a slight delay things work well. Nothing more than a slight eyesore!

janderholm avatar Jun 04 '20 10:06 janderholm

The crates.io index is fetched to determine if any crates in Cargo.lock have been yanked.

That said, it should be easy to ensure it isn't when --no-fetch is used.

tarcieri avatar Jun 04 '20 15:06 tarcieri

It seems that a fetch = false config in ~/.cargo/audit.toml not work when I run just cargo audit. Should I place audit.toml in the crates' .cargo directories?

huangjj27 avatar Nov 13 '21 05:11 huangjj27

The correct locations for the configuration are either in ~/.cargo/audit.toml or .cargo/audit.toml of your project, following standard cargo conventions

tarcieri avatar Nov 13 '21 14:11 tarcieri

The correct locations for the configuration are either in ~/.cargo/audit.toml or .cargo/audit.toml of your project, following standard cargo conventions

Is it a bug if I still keep fetching when I have a ~/.config/audit.toml with fetch = false in it? It's strange that cargo audit gets my advisory db url but can't get the fetch config. here is my config:

$ cat ~/.cargo/audit.toml
[database]
url = "https://github.com.cnpmjs.org/rustsec/advisory-db.git"
#url = "https://gitclone.com/github.com/rustsec/advisory-db.git"
fetch = false
stale = true
$ cargo audit
    Fetching advisory database from `https://github.com.cnpmjs.org/rustsec/advisory-db.git`
      Loaded 372 security advisories (from /home/huangjj27/.cargo/advisory-db)
    Updating crates.io index
^C
$ cargo audit --no-fetch
      Loaded 372 security advisories (from /home/huangjj27/.cargo/advisory-db)
    Scanning Cargo.lock for vulnerabilities (226 crate dependencies)

(omit the vulnerabilities details)

error: 6 vulnerabilities found!
warning: 2 allowed warnings found

huangjj27 avatar Nov 16 '21 13:11 huangjj27