Add cargo-audit to build (also track in cgmanifest.json) (#3403)

Fixes #1647

Author: danieljurek

eng/cgmanifest.json

@@ -8,6 +8,13 @@
         "cargo": { "name": "cargo-semver-checks", "version": "0.45.0" }
       },
       "developmentDependency": true
+    },
+    {
+      "component": {
+        "type": "cargo",
+        "cargo": { "name": "cargo-audit", "version": "0.22.0" }
+      },
+      "developmentDependency": true
     }
   ]
 }

eng/scripts/Analyze-Code.ps1

@@ -13,56 +13,62 @@ $ErrorActionPreference = 'Stop'
 Set-StrictMode -Version 2.0
 
 . (Join-Path $PSScriptRoot '..' 'common' 'scripts' 'common.ps1')
+. ([System.IO.Path]::Combine($PSScriptRoot, 'shared', 'Cargo.ps1'))
 
 Write-Host @"
 Analyzing code with
     RUSTFLAGS: '${env:RUSTFLAGS}'
     RUSTDOCFLAGS: '${env:RUSTDOCFLAGS}'
+    RUST_LOG: '${env:RUST_LOG}'
 "@
 
 if ($CheckWasm) {
-  Invoke-LoggedCommand "rustup target add wasm32-unknown-unknown"
+  Invoke-LoggedCommand "rustup target add wasm32-unknown-unknown" -GroupOutput
 }
 
 if ($Deny) {
-  Invoke-LoggedCommand "cargo install cargo-deny --locked"
+  Invoke-LoggedCommand "cargo install cargo-deny --locked" -GroupOutput
 }
 
-Invoke-LoggedCommand "cargo check --package azure_core --all-features --all-targets --keep-going"
+$cargoAuditVersionParams = Get-VersionParamsFromCgManifest cargo-audit
+Invoke-LoggedCommand "cargo install cargo-audit --locked $($cargoAuditVersionParams -join ' ')" -GroupOutput
+Invoke-LoggedCommand "cargo audit" -GroupOutput
 
-Invoke-LoggedCommand "cargo fmt --all -- --check"
+Invoke-LoggedCommand "cargo check --package azure_core --all-features --all-targets --keep-going" -GroupOutput
 
-Invoke-LoggedCommand "cargo clippy --workspace --all-features --all-targets --keep-going --no-deps"
+Invoke-LoggedCommand "cargo fmt --all -- --check" -GroupOutput
+
+Invoke-LoggedCommand "cargo clippy --workspace --all-features --all-targets --keep-going --no-deps" -GroupOutput
 
 if ($CheckWasm) {
   # Save the original RUSTFLAGS to restore later
   $OriginalRustFlags = $env:RUSTFLAGS
   # This is needed to ensure that the `getrandom` crate uses the `wasm_js` backend
   $env:RUSTFLAGS = ${env:RUSTFLAGS} + ' --cfg getrandom_backend="wasm_js"'
 
-  Invoke-LoggedCommand "cargo clippy --target=wasm32-unknown-unknown --workspace --keep-going --no-deps"
+  Invoke-LoggedCommand "cargo clippy --target=wasm32-unknown-unknown --workspace --keep-going --no-deps" -GroupOutput
 
   # Restore the original RUSTFLAGS, since the getrandom config option can only be set for wasm32-unknown-unknown builds.
   $env:RUSTFLAGS = $OriginalRustFlags
 }
 
 if ($Deny) {
-  Invoke-LoggedCommand "cargo deny --all-features check"
+  Invoke-LoggedCommand "cargo deny --all-features check" -GroupOutput
 }
 
-Invoke-LoggedCommand "cargo doc --workspace --no-deps --all-features"
+Invoke-LoggedCommand "cargo doc --workspace --no-deps --all-features" -GroupOutput
 
 # Verify package dependencies
 $verifyDependenciesScript = Join-Path $RepoRoot 'eng' 'scripts' 'verify-dependencies.rs' -Resolve
 
 if (!$SkipPackageAnalysis) {
   if (!(Test-Path $PackageInfoDirectory)) {
     Write-Host "Analyzing workspace`n"
-    return Invoke-LoggedCommand "&$verifyDependenciesScript $RepoRoot/Cargo.toml"
+    return Invoke-LoggedCommand "&$verifyDependenciesScript $RepoRoot/Cargo.toml" -GroupOutput
   }
 
   if ($Toolchain -eq 'nightly') {
-    Invoke-LoggedCommand "cargo install --locked cargo-docs-rs"
+    Invoke-LoggedCommand "cargo install --locked cargo-docs-rs" -GroupOutput
   }
 
   $packagesToTest = Get-ChildItem $PackageInfoDirectory -Filter "*.json" -Recurse
@@ -71,10 +77,10 @@ if (!$SkipPackageAnalysis) {
 
   foreach ($package in $packagesToTest) {
     Write-Host "Analyzing package '$($package.Name)' in directory '$($package.DirectoryPath)'`n"
-    Invoke-LoggedCommand "&$verifyDependenciesScript $($package.DirectoryPath)/Cargo.toml"
+    Invoke-LoggedCommand "&$verifyDependenciesScript $($package.DirectoryPath)/Cargo.toml" -GroupOutput
 
     if ($Toolchain -eq 'nightly') {
-      Invoke-LoggedCommand "cargo +nightly docs-rs --package $($package.Name)"
+      Invoke-LoggedCommand "cargo +nightly docs-rs --package $($package.Name)" -GroupOutput
     }
   }
 }

eng/scripts/Test-Semver.ps1

@@ -43,17 +43,9 @@ function Get-OutputPackageNames($workspacePackages) {
 $packages = Get-CargoPackages
 $outputPackageNames = Get-OutputPackageNames $packages
 
-# Read version from cgmanifest.json. If ignored the currently installed or
-# "latest" version is used.
 $versionParams = @()
 if (!$IgnoreCgManifestVersion) {
-  $versionParams += '--version'
-  $cgManifest = Get-Content ([System.IO.Path]::Combine($PSScriptRoot, '..', 'cgmanifest.json')) `
-  | ConvertFrom-Json
-  $versionParams += $cgManifest.
-  registrations.
-  Where({ $_.component.type -eq 'cargo' -and $_.component.cargo.name -eq 'cargo-semver-checks' }).
-  component.cargo.version
+  $versionParams = Get-VersionParamsFromCgManifest cargo-semver-checks
 }
 
 LogGroupStart "cargo install cargo-semver-checks --locked $($versionParams -join ' ')"

eng/scripts/shared/Cargo.ps1

@@ -31,3 +31,25 @@ function Get-PackageNamesFromPackageInfo($packageInfoDirectory) {
 
   return $names
 }
+
+function Get-VersionParamsFromCgManifest(
+  $packageName,
+  $cgManifestPath = ([System.IO.Path]::Combine($PSScriptRoot, '..', '..', 'cgmanifest.json'))
+) {
+  $cgManifest = Get-Content $cgManifestPath `
+  | ConvertFrom-Json
+  $versions = $cgManifest.
+  registrations.
+  Where({ $_.component.type -eq 'cargo' -and $_.component.cargo.name -eq $packageName }).
+  component.cargo.version
+
+  if (!$versions) {
+    Write-Error "No versions found for package '$packageName' in cgmanifest.json"
+  }
+
+  if ($versions -is [Array] -and $versions.Count -ne 1) {
+    Write-Error "Multiple versions found for package '$packageName' in cgmanifest.json"
+  }
+
+  return @('--version', $versions)
+}