ci: Add cargo audit CI action

[Jefffrey]

Which issue does this PR close?

Closes #57

Rationale for this change

Audit dependencies for security vulns

What changes are included in this PR?

Use audit-check action in new CI step

Are there any user-facing changes?

[tustvold]

Why not run this for pull requests?

[Jefffrey]

You mean to always run on PRs regardless of if they modified Cargo.toml files? My line of thinking was that only PRs that affect the dependencies should have this check run, to prevent an unrelated PR potentially being blocked.

[tustvold]

Aah I see, perhaps we could also run on PRs that modify the CI configuration for this check. I mainly want to see this check running on this PR before I merge it 😅

[Jefffrey]

Yeah that's fair enough

I went and made some minor updates to descriptions in csv and json crate, hope that's fine

Looks like CI check indeed failed to startup, might have to include the steps to run cargo audit manually instead of relying on existing action from rustsec 🤔

Error: .github#L1
rustsec/[email protected] is not allowed to be used in apache/arrow-rs. Actions in this workflow must be:
within a repository owned by apache, created by GitHub, verified in the GitHub Marketplace, or matching the
following: */*@[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]+, AdoptOpenJDK/install-jdk@*,
JamesIves/github-pages-deploy-action@5dc1d5a192aeb5ab5b7d5a77b7d36aea4a7f5c92, TobKed/label-when-approved-action@*,
actions-cool/issues-helper@*, actions-rs/*, al-cheb/configure-pagefile-action@*, amannn/action-semantic-pull-request@*,
apache/*, burrunan/gradle-cache-action@*, bytedeco/javacpp-presets/.github/actions/*, chromaui/action@*,
codecov/codecov-action@*, conda-incubator/setup-miniconda@*, container-tools/kind-action@*,
container-tools/microshift-action@*, dawidd6/action-download-artifact@*, delaguardo/setup-graalvm@*,
docker://jekyll/jekyll:*, docker://pandoc/core:2.9, eps1lon/actions-label-merge-conflict@*, gaurav-nelson/github-action-markdown-link-check@*,
gol...

[Jefffrey]

Example run with a dependency with vulnerability:

Run audit check step:

Run cargo audit
    Updating crates.io index
    Fetching advisory database from `[https://github.com/RustSec/advisory-db.git`](https://github.com/RustSec/advisory-db.git%60)
      Loaded 580 security advisories (from /home/runner/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (353 crate dependencies)
error: 1 vulnerability found!
Crate:     cocoon
Version:   0.3.3
Title:     Sequential calls of encryption API (`encrypt`, `wrap`, and `dump`) result in nonce reuse
Date:      2023-10-15
ID:        RUSTSEC-2023-0068
URL:       https://rustsec.org/advisories/RUSTSEC-2023-0068
Severity:  4.5 (medium)
Solution:  Upgrade to >=0.4.0
Dependency tree:
cocoon 0.3.3
└── arrow-csv 49.0.0
    ├── parquet 49.0.0
    │   ├── parquet_derive_test 49.0.0
    │   └── parquet_derive 49.0.0
    │       └── parquet_derive_test 49.0.0
    └── arrow 49.0.0
        ├── parquet 49.0.0
        ├── arrow-integration-testing 49.0.0
        └── arrow-integration-test 49.0.0
            └── arrow-integration-testing 49.0.0

Error: Process completed with exit code 1.

• https://github.com/apache/arrow-rs/actions/runs/7113685561/job/19366158937?pr=5160

Subsequently fails.

[Jefffrey]

Example of a clean run:

Run cargo audit
    Updating crates.io index
    Fetching advisory database from `[https://github.com/RustSec/advisory-db.git`](https://github.com/RustSec/advisory-db.git%60)
      Loaded 580 security advisories (from /home/runner/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (327 crate dependencies)

• https://github.com/apache/arrow-rs/actions/runs/7113723615/job/19366270881?pr=5160

[tustvold]

Looks good to me

[alamb]

I think this wins the prize for lowest ticket number closed in a long time 🏆