|new 0.3.2||Jul 26, 2021|
|0.2.2||Jul 21, 2021|
|0.1.23||Mar 2, 2021|
|0.1.17||Dec 16, 2020|
|0.1.1||Mar 27, 2019|
#29 in Cargo plugins
192 downloads per month
cargo-pants is a Cargo subcommand that provides a bill of materials in a project, and any vulnerabilities that are found on those dependencies, powered by Sonatype OSS Index.
Don't you check your pants for holes? Similarly, we think you should check your app's dependencies for vulnerabilities, and that's what
cargo-pants does! As well, we provide a Bill Of Materials from parsing your
Cargo.lock file, so you can see all the dependencies you are using.
cargo-pants was built with Rust 1.49.0, you should likely start there.
cargo-pants is a Cargo subcommand, and can be installed using
$ cargo install cargo-pants
Set an environment variable
OSS_INDEX_API_KEY to auth requests with your key.
Once you have installed
cargo-pants, you can run it like so:
$ cargo pants
cargo-pants 0.3.1 Glenn Mohre <firstname.lastname@example.org> A library for auditing your cargo dependencies for vulnerabilities and checking your pants USAGE: cargo pants [FLAGS] [OPTIONS] FLAGS: -h, --help Prints help information --dev A flag to include dev dependencies -v, --verbose Set the verbosity of the logger, more is more verbose, so -vvvv is more verbose than -v -d, --loud Also show non-vulnerable dependencies -m, --no-color Disable color output -V, --version Prints version information OPTIONS: --ossi-api-key <oss-index-api-key> OSS Index API Key [env: OSS_INDEX_API_KEY] -s, --pants_style <pants-style> Your pants style --tomlfile <toml-file> The path to your Cargo.toml file [default: Cargo.toml]
cargo pants can be run in your builds context, or ran separately.
We will also inform you of our opinions of your pants style choice:
$ cargo pants --pants_style JNCO
We are very serious about pants.
There are also two command line flags that affect the output further:
$ cargo pants --loud
This shows all non-vulnerable dependencies for a complete Bill of Materials.
$ cargo pants --no-color
This disables any coloring of the output.
If vulnerabilities are found,
cargo-pants exits with status code 3, and prints the Bill Of Materials/Found Vulnerabilities. If there are no issues, it will exit with status code 0.
More TBD, but experimental usage for Nexus IQ Server now exists:
cargo-iq 0.3.1 Glenn Mohre <email@example.com> A library for auditing your cargo dependencies for vulnerabilities and checking your pants USAGE: cargo iq [FLAGS] [OPTIONS] --iq-application <application> FLAGS: -h, --help Prints help information --dev A flag to include dev dependencies -v, --verbose Set the verbosity of the logger, more is more verbose, so -vvvv is more verbose than -v -V, --version Prints version information OPTIONS: -a, --iq-application <application> Specify Nexus IQ public application ID for request -t, --iq-attempts <attempts> Specify Nexus IQ attempts in seconds [default: 60] -x, --iq-server-url <server-url> Specify Nexus IQ server url for request [default: http://localhost:8070] -s, --iq-stage <stage> Specify Nexus IQ stage for request [default: develop] -k, --iq-token <token> Specify Nexus IQ token for request [env: TOKEN=] [default: admin123] --tomlfile <toml-file> The path to your Cargo.toml file [default: Cargo.toml] -l, --iq-username <username> Specify Nexus IQ username for request [default: admin]
cargo audit but with more pants, you can run
cargo pants on your builds on Travis CI using this example config:
language: rust before_script: - cargo install --force cargo-pants script: - cargo pants
We use CircleCI to build this project. See our CircleCI config: .circleci/config.yml for how we use cargo-pants in our CI build. This file is also a good reference for a number of useful cargo commands.
We care a lot about making the world a safer place, and that's why we created
cargo-pants. If you as well want to
speed up the pace of software development by working on this project, jump on in! Before you start work, create
a new issue, or comment on an existing issue, to let others know you are!
The code for
cargo-pants was largely written by Glenn Mohre, and we want to give ultimate thanks, kudos, congratulations to Glenn for contributing this to the community. Open Source is awesome, and you help make it better!
cargo-pants was influenced by
cargo-audit, and we acknowledge we stand on the shoulders of giants.
You can run your local changes without installing the package via:
cargo run pants
cargo run iq --iq-application sandbox-application
Use the commands below to build and install the package locally:
cargo build --all --all-targets cargo install cargo-pants --force --path .
The Continuous Integration build will automatically perform a new release with every commit to the
To skip performing a release from
main be sure your commit message includes:
It is worth noting that this is NOT SUPPORTED by Sonatype, and is a contribution of ours to the open source community (read: you!)
- Use this contribution at the risk tolerance that you have
- Do NOT file Sonatype support tickets related to
cargo-pantssupport in regard to this project
- DO file issues here on GitHub, so that the community can pitch in
Phew, that was easier than I thought. Last but not least of all:
Have fun creating and using
cargo-pants and the Sonatype OSS Index, we are glad to have you here!
Looking to contribute to our code but need some help? There's a few ways to get information:
- Chat with us on Gitter