- [x] `sscache` bug preventing interop: https://github.com/mozilla/sccache/pull/1280 - [x] Binary scanning MVP in `cargo audit`: https://github.com/rustsec/rustsec/pull/635 - [x] Ship a `cargo auditable` release with binary scanning: https://github.com/rustsec/rustsec/pull/709 - [x] JSON schema: #72 - [x] Better docs on consuming the format: https://github.com/rust-secure-code/cargo-auditable/issues/74 - [x] GHSA fixing their non-compliance with OSV spec so that scanning with Trivy doesn't result in an avalanche of false positives: https://github.com/github/advisory-database/issues/470 - [x] Update documentation on `auditable-extract` and `auditable-serde` to point to the high-level wrapper crate `auditable-info` - [x] Wait for GHSA-exported OSV data to be regenerated: https://github.com/github/advisory-database/issues/470#issuecomment-1248551548 - [ ] Confirm that Trivy does in fact support the `last_affected` field from OSV 1.3 and consumes GHSA OSV advisories without false positives - [x] Get confirmation from @tofay that the entire pipeline works properly, and that it's validated in prod
sscachebug preventing interop: Handle use of RUSTC_WORKSPACE_WRAPPER mozilla/sccache#1280cargo audit: Binary scanning MVP rustsec/rustsec#635cargo auditablerelease with binary scanning: Releasecargo audit0.17.1 rustsec/rustsec#709limitandlast_affectedrange events github/advisory-database#470auditable-extractandauditable-serdeto point to the high-level wrapper crateauditable-infolimitandlast_affectedrange events github/advisory-database#470 (comment)last_affectedfield from OSV 1.3 and consumes GHSA OSV advisories without false positives