Cargo audit false positives for optional dependencies pulled in by disabled features. #1119
Description
I'll give a minimal example here.
In my toml I have sqlx
sqlx = { version = "0.7", default-features = false, features = [
"macros",
"runtime-tokio-native-tls",
"migrate",
"postgres",
"chrono",
] }Checking my actual dependencies with cargo tree reveals:
cargo tree | grep sql
│ ├── sqlx-core v0.7.3
│ │ ├── sqlformat v0.2.3
├── sqlx v0.7.3
│ ├── sqlx-core v0.7.3 (*)
│ ├── sqlx-macros v0.7.3 (proc-macro)
│ │ ├── sqlx-core v0.7.3
│ │ │ ├── sqlformat v0.2.3 (*)
│ │ ├── sqlx-macros-core v0.7.3
│ │ │ ├── sqlx-core v0.7.3 (*)
│ │ │ ├── sqlx-postgres v0.7.3
│ │ │ │ ├── sqlx-core v0.7.3 (*)
│ └── sqlx-postgres v0.7.3
│ ├── sqlx-core v0.7.3 (*)
And yet I still get the error
Crate: rsa
Version: 0.9.6
Title: Marvin Attack: potential key recovery through timing sidechannels
Date: 2023-11-22
ID: RUSTSEC-2023-0071
URL: https://rustsec.org/advisories/RUSTSEC-2023-0071
Severity: 5.9 (medium)
Solution: No fixed upgrade is available!
Dependency tree:
rsa 0.9.6
└── sqlx-mysql 0.7.3
├── sqlx-macros-core 0.7.3
│ └── sqlx-macros 0.7.3
│ └── sqlx 0.7.3
│ └── signup-sequencer 2.0.0
└── sqlx 0.7.3
I understand this is due to cargo-audit simply scanning the lock file, but I imagine if cargo tree is smart enough to omit these deps then the same should be possible in cargo-audit. Let me know what you think!