Update Rust crate cargo-audit to 0.18

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
cargo-audit (source)	dev-dependencies	minor	0.17 -> 0.18

---

Release Notes

RustSec/rustsec (cargo-audit)

v0.18.0

Added

• Implement proper attribution for advisories licensed under CC-BY (#​955)
• cargo audit bin no longer shows warnings not applicable to the binary type (e.g. no more reports of Windows-only unsoundness in ELF binaries). Previously this was implemented for vulnerabilities, but not warnings. (#​964)

Changed

• Upgraded to rustsec v0.28, bringing performance, security and compatibility improvements, but also temporarily dropping support for CPU platforms other than x86 and ARM. See the rustsec changelog for details.

v0.17.6

Added

• Upgraded to cargo-lock v9.0.0, which enables support for sparse registries.
• When scanning binary files, the binary's platform is taken into account. This prevents scenarios such as Windows-only vulnerabilities being reported on Linux binaries ([#​814])

Fixed

• Advisories about cargo audit itself are no longer printed multiple times when scanning multiple files (#​848)

v0.17.5

Added

• Vulnerability severity is now included in the cargo audit output, if known (#​825)

Changed

• Advisories marked informational = unsound are now reported by default, but only as warnings (#​819). They do not cause the audit to fail, i.e. the exit code of the process is still 0. This behavior can be suppressed through the configuration file.

Fixed

• The help text now correctly refers to the command as cargo audit instead of cargo audit audit (#​824)
• The --version argument now works correctly, reporting the current version (#​838)

v0.17.4

Fixed

• Checks for yanked crates were broken since 0.17.0. This release restores them and adds tests to prevent future regressions.

Changed

• Binary scanning is enabled by default and documented as such. It can still be disabled by disabling the binary-scanning feature.

v0.17.3

Added

• cargo audit bin now attempts to detect dependencies in binaries not built with cargo auditable by parsing the panic messages (#​729). This only detects about a half of the dependency list and never detects C code such as OpenSSL, but works on any Rust binaries built with cargo.
• Added integration tests for the --deny=warnings flag.

Fixed

• cargo audit bin --deny=warnings no longer exits after finding the first binary with warnings.

Changed

• Up to 5x faster cargo audit bin when scanning multiple files thanks to caching crates.io index lookups (implemented in rustsec crate).
• Notices about cargo audit or rustsec will now result in a scanning error being reported (exit code 2) as opposed to reporting them as vulnerabilities in the scanned binary (exit code 1). They are treated as warnings by default, so --deny=warnings is required to observe the new behavior.
• The binary-scanning feature that adds the cargo audit bin subcommand is now enabled by default, but is not documented as such.

v0.17.2

Changed

• Fixed the screenshot URL in README.md

v0.17.1

Added

• Initial support for scanning binaries built with cargo auditable

---

Configuration

📅 Schedule: Branch creation - "before 5am" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.