From b1eade9de9f04fec2b7a8882c5b572abc4d3300b Mon Sep 17 00:00:00 2001
From: Egor Lazarchuk <yegorlz@amazon.co.uk>
Date: Tue, 30 Jun 2026 14:36:33 +0100
Subject: [PATCH 1/2] ci: switch audit test from using cargo-audit to
 cargo-deny

`cargo-audit` goes through all crates in the Cargo.lock which includes
crate which are pulled as transitive dependencies of some crates but not
used in any of our binaries. Switching to `crago-deny` fixes this since
it only checks crates which are a part of our dependencies tree for our
binaries.

Similar to `cargo-audit`, we need to install `cargo-deny` each time to
avoid a possibility of it breaking if advisory database suddenly updates
the format it uses. But for the sake of speed, we now install with
`--debug` flag to install debug binary (install in this case means
"compile"). This saves time and does not affect the result.

`cargo-audit` is also used in other places (like license checks), but it
is fine to only "install" it again here. Everywhere else we can use
version installed in the docker image, even if it can be out of date.

Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
---
 .../security/test_sec_audit.py                | 42 +++++++++++++------
 1 file changed, 29 insertions(+), 13 deletions(-)

diff --git a/tests/integration_tests/security/test_sec_audit.py b/tests/integration_tests/security/test_sec_audit.py
index c11e5a18447..b7681e6ba40 100644
--- a/tests/integration_tests/security/test_sec_audit.py
+++ b/tests/integration_tests/security/test_sec_audit.py
@@ -6,11 +6,11 @@
 
 import pytest
 
+from framework import utils
 from framework.ab_test import (
     git_ab_test_host_command_if_pr,
     set_did_not_grow_comparator,
 )
-from framework.utils import CommandReturn
 from framework.utils_cpuid import CpuVendor, get_cpu_vendor
 
 
@@ -23,19 +23,35 @@ def test_cargo_audit():
     Run cargo audit to check for crates with security vulnerabilities.
     """
 
-    def set_of_vulnerabilities(output: CommandReturn):
-        output = json.loads(output.stdout)
-
-        return set(
-            frozenset(vulnerability)
-            for vulnerability in output["vulnerabilities"]["list"]
-        ).union(
-            frozenset(warning)
-            for warning_kind, warnings in output["warnings"].items()
-            for warning in warnings
-        )
+    def set_of_vulnerabilities(output: utils.CommandReturn):
+        # The `stdout` will contain one `json` payload per line
+        findings = set()
+        for line in output.stderr.splitlines():
+            line = line.strip()
+            if not line:
+                continue
+            entry = json.loads(line)
+            # There is also `summary` type, which is of not interest for us
+            if entry["type"] != "diagnostic":
+                continue
+            fields = entry["fields"]
+            advisory = fields.get("advisory") or {}
+            # Identify a finding by its code, advisory id and affected crate;
+            # Findings without an advisory (e.g. yanked crates) fall back to
+            # the crate from the dependency graph.
+            krate = (fields.get("graphs") or [{}])[0].get("Krate", {})
+            findings.add(
+                (
+                    fields.get("code"),
+                    advisory.get("id"),
+                    advisory.get("package") or krate.get("name"),
+                )
+            )
+        return findings
+
+    utils.run_cmd("cargo install --locked cargo-deny --debug")
 
     git_ab_test_host_command_if_pr(
-        "cargo install --locked cargo-audit && cargo audit --deny warnings -q --json",
+        "cargo deny --all-features -f json check advisories",
         comparator=set_did_not_grow_comparator(set_of_vulnerabilities),
     )

From 79b992308a5cc0b3cfedddd66789a248c03143c5 Mon Sep 17 00:00:00 2001
From: Egor Lazarchuk <yegorlz@amazon.co.uk>
Date: Tue, 30 Jun 2026 14:53:24 +0100
Subject: [PATCH 2/2] cI: remove .cargo/audit.toml

Both ignores are not applicable anymore:
- `gdbstub` moved from `paste`
  https://github.com/daniel5151/gdbstub/issues/168
- `uuid` we have is `1.23.2` version

Signed-off-by: Egor Lazarchuk <yegorlz@amazon.co.uk>
---
 .cargo/audit.toml | 18 ------------------
 1 file changed, 18 deletions(-)
 delete mode 100644 .cargo/audit.toml

diff --git a/.cargo/audit.toml b/.cargo/audit.toml
deleted file mode 100644
index d19582cc46a..00000000000
--- a/.cargo/audit.toml
+++ /dev/null
@@ -1,18 +0,0 @@
-[advisories]
-ignore = [
-    # The `paste` dependency is transitively included via `gdbstub`.
-    # While the crate is archived/unmaintained, the author considers it feature-complete
-    # and functionally stable. gdbstub will be update once they migrate
-    # to an alternative solution.
-    # See https://github.com/daniel5151/gdbstub/issues/168
-    "RUSTSEC-2024-0436",
-
-    # `rand` unsoundness when a custom logger re-enters `rand::rng()`/`thread_rng()`
-    # during ThreadRng reseeding. Firecracker is not affected:
-    # - uuid (1.23.0): does not enable `fast-rng` or `rng-rand` features, so it uses
-    #   `getrandom` directly and never calls into rand.
-    # - proptest: uses rand 0.9 with `default-features = false` and does not enable
-    #   the `thread_rng` feature, so the affected functions are not compiled in.
-    # See https://rustsec.org/advisories/RUSTSEC-2026-0097.html
-    "RUSTSEC-2026-0097",
-]