in src/main.rs [1597:1674]
fn cmd_record_violation(
out: &Arc<dyn Out>,
cfg: &Config,
sub_args: &RecordViolationArgs,
) -> Result<(), miette::Report> {
// Mark a package as a violation
let mut store = Store::acquire_offline(cfg)?;
let kind = AuditKind::Violation {
violation: sub_args.versions.clone(),
};
let (_username, who) = if sub_args.who.is_empty() {
let user_info = get_user_info()?;
let who = format!("{} <{}>", user_info.username, user_info.email);
(user_info.username, vec![Spanned::from(who)])
} else {
(
sub_args.who.join(", "),
sub_args
.who
.iter()
.map(|w| Spanned::from(w.clone()))
.collect(),
)
};
let notes = sub_args.notes.clone();
let criteria = if sub_args.criteria.is_empty() {
// TODO: provide an interactive prompt for this
vec![store.config.default_criteria.clone().into()]
} else {
sub_args
.criteria
.iter()
.map(|s| s.to_owned().into())
.collect()
};
// FIXME: can/should we check if the version makes sense..?
if !sub_args.force
&& !foreign_packages(&cfg.metadata, &store.config).any(|pkg| pkg.name == sub_args.package)
{
// ERRORS: immediate fatal diagnostic? should we allow you to forbid random packages?
// You're definitely *allowed* to have unused audits, otherwise you'd be constantly deleting
// useful audits whenever you update your dependencies! But this might be a useful guard
// against typosquatting or other weird issues?
return Err(miette!(
"'{}' isn't one of your foreign packages",
sub_args.package
));
}
// Ok! Ready to commit the audit!
let new_entry = AuditEntry {
kind,
criteria,
who,
importable: true,
notes,
aggregated_from: vec![],
is_fresh_import: false,
};
store
.audits
.audits
.entry(sub_args.package.clone())
.or_default()
.push(new_entry);
store.commit()?;
writeln!(out, "If you've identified a security vulnerability in {} please report it at https://github.com/rustsec/advisory-db#reporting-vulnerabilities", sub_args.package);
Ok(())
}