Add advisories.unmaintained back (#753)

Adds back the `unmaintained` field for the advisories config, but it now
uses a scope rather than a lint level.

Resolves: #752

Author: Jake-Shadle

CHANGELOG.md

@@ -8,6 +8,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- next-header -->
 ## [Unreleased] - ReleaseDate
+### Added
+- [PR#753](https://github.com/EmbarkStudios/cargo-deny/pull/753) resolved [#752](https://github.com/EmbarkStudios/cargo-deny/issues/752) by adding back the `advisories.unmaintained` config option. See the [docs](https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-unmaintained-field-optional) for how it can be used. The default matches the current behavior, which is to error on any `unmaintained` advisory, but adding `unmaintained = "workspace"` to the `[advisories]` table will mean unmaintained advisories will only error if the crate is a direct dependency of your workspace.
+
 ## [0.18.1] - 2025-02-27
 ### Fixed
 - [PR#749](https://github.com/EmbarkStudios/cargo-deny/pull/749) updated `krates` to pull in the fix for [EmbarkStudios/krates#100](https://github.com/EmbarkStudios/krates/issues/100).

Cargo.lock

@@ -11,7 +11,7 @@ targets = [
 all-features = true
 
 [advisories]
-version = 2
+unmaintained = "workspace"
 ignore = [
 ]
 

deny.toml

@@ -14,7 +14,12 @@ You can also use your own advisory databases instead of, or in addition to, the
 
 ## Use Case - Detecting unmaintained crates
 
-The [advisory database](https://github.com/RustSec/advisory-db) also contains advisories for unmaintained crates, which in most cases users will want to avoid in favor of more actively maintained crates.
+The [advisory database](https://github.com/RustSec/advisory-db) also contains advisories for unmaintained crates, which in most cases users will want to avoid in favor of more actively maintained crates. By default, all `unmaintained` advisories will result in an error, but by using the following config you can error only if you directly depend on an unmaintained crate from your workspace.
+
+```ini
+[advisories]
+unmaintained = 'workspace'
+```
 
 ## Example output
 

docs/src/checks/advisories/README.md

@@ -39,7 +39,6 @@ version = 2
 The version field is (at the time of this writing) no longer used, the following fields have been removed and will now emit errors.
 
 - `vulnerability` - Removed, all vulnerability advisories now emit errors.
-- `unmaintained` - Removed, all unmaintained advisories now emit errors.
 - `unsound` - Removed, all unsound advisories now emit errors.
 - `notice` - Removed, all notice advisories now emit errors.
 - `severity-threshold` - Removed, all vulnerability advisories now emit errors.
@@ -69,6 +68,19 @@ Every advisory in the advisory database contains a unique identifier, eg. `RUSTS
 
 In addition, yanked crate versions can be ignored by specifying a [PackageSpec](../cfg.md#package-spec) with an optional `reason`.
 
+### The `unmaintained` field (optional)
+
+```ini
+unmaintained = 'workspace'
+```
+
+Determines if ummaintained advisories will result in an error. An unmaintained error can still be ignored specifically via the [`ignore`](#the-ignore-field-optional) option.
+
+- `all` (default) - Any crate that matches an unmaintained advisory will fail
+- `workspace` - Unmaintained advisories will only fail if they apply to a crate which is a direct dependency of one or more workspace crates.
+- `transitive` - Unmaintained advisories will only fail if they apply to a crate which is **not** a direct dependency of one or more workspace crates.
+- `none` - Unmaintained advisories are completely ignored.
+
 ### The `git-fetch-with-cli` field (optional)
 
 Similar to cargo's [net.git-fetch-with-cli](https://doc.rust-lang.org/cargo/reference/config.html#netgit-fetch-with-cli), this field allows you to opt-in to fetching advisory databases with the git CLI rather than using `gix`.

docs/src/checks/advisories/cfg.md

@@ -3,19 +3,19 @@
 <!-- markdownlint-disable-next-line heading-increment -->
 ### `vulnerability`
 
-A [`vulnerability`](cfg.md#the-vulnerability-field-optional) advisory was detected for a crate.
+A `vulnerability` advisory was detected for a crate.
 
 ### `notice`
 
-A [`notice`](cfg.md#the-notice-field-optional) advisory was detected for a crate.
+A `notice` advisory was detected for a crate.
 
 ### `unmaintained`
 
 An [`unmaintained`](cfg.md#the-unmaintained-field-optional) advisory was detected for a crate.
 
 ### `unsound`
 
-An [`unsound`](cfg.md#the-unsound-field-optional) advisory was detected for a crate.
+An `unsound` advisory was detected for a crate.
 
 ### `yanked`
 

docs/src/checks/advisories/diags.md

@@ -73,8 +73,55 @@ pub fn check<R, S>(
     let mut ignore_hits: BitVec = BitVec::repeat(false, ctx.cfg.ignore.len());
     let mut ignore_yanked_hits: BitVec = BitVec::repeat(false, ctx.cfg.ignore_yanked.len());
 
+    use crate::cfg::Scope;
+    let ws_set = if matches!(
+        ctx.cfg.unmaintained.value,
+        Scope::Workspace | Scope::Transitive
+    ) {
+        ctx.krates
+            .workspace_members()
+            .filter_map(|wm| {
+                if let krates::Node::Krate { id, .. } = wm {
+                    Some(id.clone())
+                } else {
+                    None
+                }
+            })
+            .collect::<std::collections::BTreeSet<_>>()
+    } else {
+        Default::default()
+    };
+
     // Emit diagnostics for any advisories found that matched crates in the graph
-    for (krate, advisory) in &report.advisories {
+    'lup: for (krate, advisory) in &report.advisories {
+        'block: {
+            if advisory
+                .metadata
+                .informational
+                .as_ref()
+                .is_some_and(|info| info.is_unmaintained())
+            {
+                match ctx.cfg.unmaintained.value {
+                    Scope::All => break 'block,
+                    Scope::None => continue 'lup,
+                    Scope::Workspace | Scope::Transitive => {
+                        let nid = ctx.krates.nid_for_kid(&krate.id).unwrap();
+                        let dds = ctx.krates.direct_dependents(nid);
+
+                        let transitive = ctx.cfg.unmaintained.value == Scope::Transitive;
+                        if dds
+                            .iter()
+                            .any(|dd| ws_set.contains(&dd.krate.id) ^ transitive)
+                        {
+                            break 'block;
+                        }
+
+                        continue 'lup;
+                    }
+                }
+            }
+        }
+
         let diag = ctx.diag_for_advisory(
             krate,
             &advisory.metadata,

src/advisories.rs

@@ -1,6 +1,6 @@
 use crate::{
     LintLevel, PathBuf, Span, Spanned,
-    cfg::{PackageSpecOrExtended, Reason, ValidationContext},
+    cfg::{PackageSpecOrExtended, Reason, Scope, ValidationContext},
     diag::{Diagnostic, FileId, Label},
     utf8path,
 };
@@ -75,6 +75,8 @@ pub struct Config {
     pub yanked: Spanned<LintLevel>,
     /// Ignore advisories for the given IDs
     ignore: Vec<Spanned<IgnoreId>>,
+    /// Whether to error on unmaintained advisories, and for what scope
+    pub unmaintained: Spanned<Scope>,
     /// Ignore yanked crates
     pub ignore_yanked: Vec<Spanned<PackageSpecOrExtended<Reason>>>,
     /// Use the git executable to fetch advisory database rather than gitoxide
@@ -98,6 +100,7 @@ impl Default for Config {
             db_path: None,
             db_urls: Vec::new(),
             ignore: Vec::new(),
+            unmaintained: Spanned::new(crate::cfg::Scope::All),
             ignore_yanked: Vec::new(),
             yanked: Spanned::new(LintLevel::Warn),
             git_fetch_with_cli: None,
@@ -145,10 +148,11 @@ impl<'de> Deserialize<'de> for Config {
         let mut fdeps = Vec::new();
 
         let _vulnerability = deprecated::<LintLevel>(&mut th, "vulnerability", &mut fdeps);
-        let _unmaintained = deprecated::<LintLevel>(&mut th, "unmaintained", &mut fdeps);
         let _unsound = deprecated::<LintLevel>(&mut th, "unsound", &mut fdeps);
         let _notice = deprecated::<LintLevel>(&mut th, "notice", &mut fdeps);
 
+        let unmaintained = th.optional_s::<Scope>("unmaintained");
+
         let yanked = th
             .optional_s("yanked")
             .unwrap_or(Spanned::new(LintLevel::Warn));
@@ -293,6 +297,7 @@ impl<'de> Deserialize<'de> for Config {
             db_urls,
             yanked,
             ignore,
+            unmaintained: unmaintained.unwrap_or(Spanned::new(Scope::All)),
             ignore_yanked,
             git_fetch_with_cli,
             disable_yank_checking,
@@ -392,6 +397,7 @@ impl crate::cfg::UnvalidatedConfig for Config {
             db_path: db_path.unwrap_or_default(), // If we failed to get a path the default won't be used since errors will have occurred
             db_urls,
             ignore: ignore.into_iter().map(|s| s.value).collect(),
+            unmaintained: self.unmaintained,
             ignore_yanked: ignore_yanked
                 .into_iter()
                 .map(|s| crate::bans::SpecAndReason {
@@ -415,6 +421,7 @@ pub struct ValidConfig {
     pub db_path: PathBuf,
     pub db_urls: Vec<Spanned<Url>>,
     pub(crate) ignore: Vec<IgnoreId>,
+    pub(crate) unmaintained: Spanned<Scope>,
     pub(crate) ignore_yanked: Vec<crate::bans::SpecAndReason>,
     pub yanked: Spanned<LintLevel>,
     pub git_fetch_with_cli: bool,

src/advisories/cfg.rs

@@ -14,6 +14,7 @@ expression: validated
       "reason": null
     }
   ],
+  "unmaintained": "Workspace",
   "ignore_yanked": [
     {
       "spec": {

src/advisories/snapshots/cargo_deny__advisories__cfg__test__deserializes_advisories_cfg-2.snap

@@ -52,6 +52,22 @@ pub trait UnvalidatedConfig {
     fn validate(self, ctx: ValidationContext<'_>) -> Self::ValidCfg;
 }
 
+#[derive(Copy, Clone, PartialEq, strum::VariantNames, strum::VariantArray)]
+#[cfg_attr(test, derive(serde::Serialize))]
+#[strum(serialize_all = "kebab-case")]
+pub enum Scope {
+    /// Matches any crate
+    All,
+    /// Matches crates in the workspace
+    Workspace,
+    /// Matches external crates
+    Transitive,
+    /// Matches no crates
+    None,
+}
+
+crate::enum_deser!(Scope);
+
 #[derive(Clone)]
 #[cfg_attr(test, derive(Debug, PartialEq, Eq, serde::Serialize))]
 pub struct Reason(pub Spanned<String>);

src/cfg.rs

@@ -88,21 +88,81 @@ fn detects_vulnerabilities() {
 fn detects_unmaintained() {
     let TestCtx { dbs, krates } = load();
 
-    let cfg = tu::Config::new("");
+    fn unmaintained_advisories(v: Vec<serde_json::Value>) -> Vec<serde_json::Value> {
+        v.into_iter()
+            .filter(|diag| {
+                diag.pointer("/fields/code").and_then(|code| code.as_str()) == Some("unmaintained")
+            })
+            .collect()
+    }
 
-    let diags =
-        tu::gather_diagnostics::<cfg::Config, _, _>(&krates, func_name!(), cfg, |ctx, tx| {
-            advisories::check(
-                ctx,
-                &dbs,
-                Option::<advisories::NoneReporter>::None,
-                None,
-                tx,
-            );
-        });
+    {
+        let cfg = tu::Config::new("");
+
+        let diags =
+            tu::gather_diagnostics::<cfg::Config, _, _>(&krates, func_name!(), cfg, |ctx, tx| {
+                advisories::check(
+                    ctx,
+                    &dbs,
+                    Option::<advisories::NoneReporter>::None,
+                    None,
+                    tx,
+                );
+            });
+
+        insta::assert_json_snapshot!(unmaintained_advisories(diags));
+    }
 
-    let unmaintained_diag = find_by_code(&diags, "RUSTSEC-2016-0004").unwrap();
-    insta::assert_json_snapshot!(unmaintained_diag);
+    {
+        let cfg = tu::Config::new("unmaintained = 'workspace'");
+
+        let diags =
+            tu::gather_diagnostics::<cfg::Config, _, _>(&krates, func_name!(), cfg, |ctx, tx| {
+                advisories::check(
+                    ctx,
+                    &dbs,
+                    Option::<advisories::NoneReporter>::None,
+                    None,
+                    tx,
+                );
+            });
+
+        insta::assert_json_snapshot!(unmaintained_advisories(diags));
+    }
+
+    {
+        let cfg = tu::Config::new("unmaintained = 'transitive'");
+
+        let diags =
+            tu::gather_diagnostics::<cfg::Config, _, _>(&krates, func_name!(), cfg, |ctx, tx| {
+                advisories::check(
+                    ctx,
+                    &dbs,
+                    Option::<advisories::NoneReporter>::None,
+                    None,
+                    tx,
+                );
+            });
+
+        insta::assert_json_snapshot!(unmaintained_advisories(diags));
+    }
+
+    {
+        let cfg = tu::Config::new("unmaintained = 'none'");
+
+        let diags =
+            tu::gather_diagnostics::<cfg::Config, _, _>(&krates, func_name!(), cfg, |ctx, tx| {
+                advisories::check(
+                    ctx,
+                    &dbs,
+                    Option::<advisories::NoneReporter>::None,
+                    None,
+                    tx,
+                );
+            });
+
+        insta::assert_json_snapshot!(unmaintained_advisories(diags));
+    }
 }
 
 /// Validates we emit diagnostics when an unsound advisory is detected

tests/advisories.rs

@@ -6,3 +6,4 @@ ignore = [
     "crate@0.1",
     { crate = "yanked", reason = "a new version has not been released" },
 ]
+unmaintained = "workspace"