Switch off cargo audit

tests/integration_tests/security/test_sec_audit.py

@@ -6,11 +6,11 @@
 
 import pytest
 
+from framework import utils
 from framework.ab_test import (
     git_ab_test_host_command_if_pr,
     set_did_not_grow_comparator,
 )
-from framework.utils import CommandReturn
 from framework.utils_cpuid import CpuVendor, get_cpu_vendor
 
 
@@ -23,19 +23,35 @@ def test_cargo_audit():
     Run cargo audit to check for crates with security vulnerabilities.
     """
 
-    def set_of_vulnerabilities(output: CommandReturn):
-        output = json.loads(output.stdout)
-
-        return set(
-            frozenset(vulnerability)
-            for vulnerability in output["vulnerabilities"]["list"]
-        ).union(
-            frozenset(warning)
-            for warning_kind, warnings in output["warnings"].items()
-            for warning in warnings
-        )
+    def set_of_vulnerabilities(output: utils.CommandReturn):
+        # The `stdout` will contain one `json` payload per line
+        findings = set()
+        for line in output.stderr.splitlines():
+            line = line.strip()
+            if not line:
+                continue
+            entry = json.loads(line)
+            # There is also `summary` type, which is of not interest for us
+            if entry["type"] != "diagnostic":
+                continue
+            fields = entry["fields"]
+            advisory = fields.get("advisory") or {}
+            # Identify a finding by its code, advisory id and affected crate;
+            # Findings without an advisory (e.g. yanked crates) fall back to
+            # the crate from the dependency graph.
+            krate = (fields.get("graphs") or [{}])[0].get("Krate", {})
+            findings.add(
+                (
+                    fields.get("code"),
+                    advisory.get("id"),
+                    advisory.get("package") or krate.get("name"),
+                )
+            )
+        return findings
+
+    utils.run_cmd("cargo install --locked cargo-deny --debug")
 
     git_ab_test_host_command_if_pr(
-        "cargo install --locked cargo-audit && cargo audit --deny warnings -q --json",
+        "cargo deny --all-features -f json check advisories",
         comparator=set_did_not_grow_comparator(set_of_vulnerabilities),
     )